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Abstract 

Knowledge and Action Bases (KABs) have been put 
forward as a semantically rich representation of a 
domain, using a DL KB to account for its static as¬ 
pects, and actions to evolve its extensional part over 
time, possibly introducing new objects. Recently, 
KABs have been extended to manage inconsistency, 
with ad-hoc verification techniques geared towards 
specific semantics. This work provides a twofold 
contribution along this line of research. On the one 
hand, we enrich KABs with a high-level, compact 
action language inspired by Golog, obtaining so 
called Golog-KABs (GKABs). On the other hand, 
we introduce a parametric execution semantics for 
GKABs, so as to elegantly accomodate a plethora of 
inconsistency-aware semantics based on the notion 
of repair. We then provide several reductions for 
the verification of sophisticated first-order temporal 
properties over inconsistency-aware GKABs, and 
show that it can be addressed using known tech¬ 
niques, developed for standard KABs. 


1 Introduction 

The combination of static and dynamic aspects in modeling 
complex organizational domains is a challenging task that 
has received increased attention, and has led to the study of 
settings combining formalisms from knowledge representa- 
tion, database theory, and process man agement [Hull, 2008 


Vianu, 2009 Calvanese et al., 2013a). Specifically, Knowl- 


edge and Action Bases (KABs) (Bagheri Hariri et al., 2013bI 
have been put forward to provide a semantically rich represen¬ 
tation of a domain. In KABs, static aspects are modeled using 
a knowledge base (KB) expressed in the lightweight Descrip- 
tion Logic (D L) [Baader et al., 200 31 DL-Litej, [Calvanese 
et al., 2007b||Calvanese et al., 2009| , while actions are used 
to evolve its extensional part over time, possibly introducing 
fresh individuals from the external environment. An important 
aspect that has received little attention so far in such systems 
is the management of inconsistency with respect to domain 
knowledge that may arise when the extensional information 
is evolved over time. In fact, inconsistency is typically han¬ 
dled naively by just rejecting updates in actions when they 
would lead to inconsistency. This shortcoming is not only 


present in KABs,_but virtually in all related approaches in the 
literature, e.g., [Deutsch et al, 2009 Belardinelli et al., 2012 


Bagheri Hariri et al., 2013a [ 

To overcome this limitation, KABs have been extended 
lately with mechanisms to handle inconsistency [Calvanese 
et al., 2013b) . However, this has been done by defining ad- 
hoc execution semantics and corresponding ad-hoc verification 
techniques geared towards specific semantics for inconsistency 
management. Furthermore, it has been left open whether intro¬ 
ducing inconsistency management in the rich setting of KABs, 
effectively leads to systems with a different level of expressive 
power. In this paper, we attack these issues by: (i) Proposing 
(standard) GKABs, which enrich KABs with a com pact action 
language inspired by Golog [Levesque et al., 19971 that can 
be conveniently used to specify processes at a high-level of 
abstraction. As in KABs, standard GKABs still manage incon¬ 
sistency naively. ( ii) Defining a parametric execution semantic 
for GKABs that is able to elegantly accomodate a plethora 
of inconsistency-aware semantics based on the well-known 
notion of repair [Eiter and Gottlob, 1992; Bertossi, 2006 


Lembo et_al., 20 ldf Calvanese et al., 2010) . (Hi) Provid 

ing several reductions showing that verification of sophist! 
cated first-order temporal properties over inconsistency-aware 
GKABs can be recast as a corresponding verification problem 
over standard GKABs. (iv) Showing that verification of stan¬ 
dard and inconsistency-aware GKABs can be addressed using 
known techniques, developed for standard KABs. 

2 Preliminaries 

We start by introducing the necessary technical preliminaries. 

2.1 DL-Litejy 

We fix a countably infinite set A of individuals, acting as 
standard names^To model KBs, we use the lightweight logic 
DL-Lite a I Calvanese et al., 2007b; Calvanesejy al., 20091, 
whose concepts and roles are built according to B ::= N \ 3R 
and R ::= P \ P~, where N is a concept name, B a basic 
concept, P a role name, P an inverse role, and R a basic 
role. 

A DL-Lite a KB is a pair (T, A), where: (i) A is an Abox, 
i.e., a finite set of ABox assertions (or facts) of the form N (ci) 
or P(c\,C 2 ), where c\, C 2 are individuals, (ii) T = T p W 
T n l±l I'f is a TBox, i.e., a finite set constituted by a subset 
T p of positive inclusion assertions of the form B\ C Bi and 
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/i’i C i? 2 , a subset T n of negative inclusion assertions of 
the form ll\ C —/Q and Ii\ C -ii? 2 , and a subset Tf of 
functionality assertions of the form (funct R). We denote by 
ADOM(A) the set of individuals explicitly present in A. 

We rely on the standard semantics of DLs based on FOL 
interpretations X = (A 1 , • I ), where c 1 S A 1 , N 1 C A 1 , 
and P 1 C A 1 x A 1 . The semantics of the DL-Litey i con¬ 
structs and of TBox and ABox assertions, and the notions of 


satisfaction an d of model are as usual (see, e.g., [Calvanese 
et al., 2007b)). We say that A is T-consistent if (T, A) is 


satisfiable, i.e., admits at least one model. We also assume 
that all concepts and roles in T are satisfiable, i.e., for every 
concept N in T, there exists at least one model X of T such 
that N x is non-empty, and similarly for roles. 

Queries. We use queries to access KBs and extract individuals 
of interest. A union of conjunctive queries (UCQ) q over a KB 
(T, A) is aFOL formula of the form \J 1<i<n Byl.conjfx, yf), 
where each conjfx^yf) is a conjunction of atoms, whose 
predicates are either concept/role names of T, or equality 
assertions involving variables x and y r , and/or individuals. 

The (certain) answers of q over ( T , A) are defined as the set 
ans(q, T, A) of substitutions cr of the free variables in q with 
inviduals in ADOM(A), such that qcr evaluates to true in every 
model of (T, A). If q has no free variables, then it is called 
boolean and its certain answers are either the empty substitu¬ 
tion (corresponding to true), or the empty set (corresponding 
to false). We also consider the extension of UCQs named EQL- 
Lite( UCQ) [Calvanese et al., 2007a| (briefly, ECQs), that is. 


the FOL query language whose atoms are UCQs evaluated 
according to the certain answer semantics above. Formally, an 
ECQ over a TBox T is a (possibly open) formula of the forrrQ 

Q ::= [q] | -i Q | Qi A Qi | 3 x.Q 

where q is a UCQ, and \q) denotes the fact that q is evalu 
ated under the (minimal) knowledge operator I Calvanese et 
al., 2007aI "1 Intuitively, the certain answers ANS(Q, T, A) 


of an ECQ Q over ( T, A) are obtained by computing the cer¬ 
tain answers of the UCQs embedded in Q, then composing 
such answers through the FO constructs in Q (interpreting 
existential variables as ranging over ADOM(A)). 

2.2 Inconsistency Management in DL KBs 

Retrieving certain answers from a KB makes sense only if the 
KB is consistent: if it is not, then each query returns all pos¬ 
sible tuples of individuals of the ABox. In a dynamic setting 
where the ABox evolves over time, consistency is a too strong 
requirement, and in fact a number of approaches have been 
proposed to handle the instance-level evolution of KBs, man¬ 
aging inconsistency when it arises. Such approaches typically 
follow one of the two following two strategies: (i) inconsisten¬ 
cies are kept in the KBs, but the semantics of query answering 
is refined to take this into account ( consistent query answering 
iBertossi, 20061); (ii) the extensional part of an inconsistent 
KB is (minimally) repaired so as to remove inconsistencies, 
and certain answers are then applied over the curated KB. In 
this paper, we follow the approach in [Calvanese et al., 2013b), 


'in this work we only consider domain independent ECQs. 
2 We omit the square brackets for single-atom UCQs. 


and consequently focus on repair-based approaches. However, 
our results seamlessly carry over the setting of consistent query 
answering. We then recall the basic notions related to inconsis¬ 
tency management via repair, distinguishing approaches that 
repair an ABox and those that repair an update. 


ABox rep airs. Star ting from the semina l work in I Eiter and 


Gottlob, 1992), in |Lembo et al., 20101 two approaches for 


repairing KBs are proposed: ABoxrepair (AR) and intersec¬ 
tion ABox repair (IAR). In [Calvanese et al., 2013bI, these 
approaches are used to handle inconsistency in KABs, and are 
respectively called bold-repair (b-repair) and certain-repair 
(c-repair). Formally, a b-repair of an ABox Aw.r.t. a TBox T 
is a maximal T-consistent subset A' of A, i.e.: (i) A' C A, 

(ii) A' is T-consistent, and (Hi) there does not exists A" 
such that A' C A" C A and A" is T-consistent. We de¬ 
note by B-REP(T, A) the set of all b-repairs of (T, A). The 
c-repair of an ABox A w.r.t. a TBox T is the (unique) set 
C-REP(T, A) = ru i6B _ RE p(T,A)^4i °f ABox assertions, ob¬ 
tained by intersecting all b-repairs. 


Inconsistency in KB evolution. In a setting where the KB is 
subject to instance-level evolution, b- and c-repairs are com¬ 
puted agnostically from the updates: each update is committed, 
and only secondly the obtained ABox is repaired if inconsis¬ 
tent. In [Calvanese efal., 20101, a so-called bold semantics 
is proposed to apply the notion of repair to the update itself. 
Specifically, the bold semantics is defined over a consistent 
KB (T, A) and an instance-level update that comprises two 
ABoxes F~ and F + , respectively containing those assertions 
that have to be deleted from and then added to A. It is as¬ 
sumed that F + is consistent with T, and that new assertions 
have “priority”: if an inconsistency arises, newly introduced 
facts are preferred to those already present in A. Formally, 
the evolution of an ABox A w.r.t. a TBox T by F + and F~, 
written EVOL(T, A, F + , F~), is an ABox A e = F + U A!, 
where (i) A' C (A \ F~), (ii) F + U A' is T-consistent, and 

(iii) there does not exists A" such that A' C A" C (A \ F~) 
and F + U A" is T-consistent. 


2.3 Knowledge and Action Bases 

Knowl edge and Action Bases (KABs) [Bagheri Hariri et al. 
2013b| have been proposed as a unified framework to simulta¬ 
neously account for the static and dynamic aspects of an appli 
cation domain. This is done by combining a semantically-rich 
representation of the domain (via a DL KB), with a process that 
evolves the extensional part of such a KB, possibly introduc¬ 
ing, through service calls, new individuals from the external 
world. We briefly recall the main aspe cts of KABs, by com¬ 
bining the framework in [Bagheri Hariri et al., 2013b] with 
the action specification formalism in iMontali et al., 2014|. 

We consider a finite set of distinguished individuals Ao C 
A, and a finite set T of functions representing service calls, 
which abstractly account for the injection of fresh individuals 
from A into the system. A KAB is a tuple K. = (T, Ao, T, n) 
where: (i) T is a DL-Litey i TBox that captures the intensional 
aspects of the domain of interest; (ii) Aq is the initial DL- 
Litey, ABox, describing the initial configuration of data; (iii) T 
is a finite set of parametric actions that evolve the ABox; 

( iv) n is a finite set of condition-action rules forming a process, 
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which describes when actions can be executed, and with which 
parameters. We assume that ADOm(Ao) Q Ao. 

An action a £ F has the form a(p) : {ei,..., e m }, where 
(i) a is the action name, (ii) p are the input parameters, and 
(Hi) {ei,..., e m j is the set of effects. Each effect has the 
form Q(x) add F + , del F~, where: (i) Q(x) is an ECQ, 
possibly mentioning individuals in Ao and action parameters 
p. (ii) F + is a set of atoms (over the alphabet of T) to be 
added to the ABox, each having as terms: individuals in A 0 , 
action parameters p, free variables x of Q, and service calls, 
represented as Skolem terms formed by applying a function 
/ £ T to one of the previous kinds of terms, (iii) F~ is a set 
of atoms (over the alphabet of T ) to be deleted from the ABox, 
each having as terms: individuals in Ao, input parameters 
p, and free variables of Q. We denote by EFF(a) the set of 
effects in a. Intuitively, action a is executed by grounding 
its parameters, and then applying its effects in parallel. Each 
effect instantiates the atoms mentioned in its head with all 
answers of Q, then issues the corresponding service calls pos¬ 
sibly contained in F + , and substitutes them with the obtained 
results (which are individuals from A). The update induced 
by a is produced by adding and removing the ground atoms 
so-obtained to/from the current ABox, giving higher priority 
to additions. 


The process II comprises a finite set of condition-action 
rules of the form Q(x ) i-> a(x), where: a £ I is an action, 
and Q(x) is an ECQ over T, whose terms are free variables x, 
quantified variables, and individuals in Ao- Each condition- 
action rule determines the instantiations of parameters with 
which to execute the action in its head over the current ABox. 

The execution semantics of a KAB is given in terms of a 
possibly infinite-state transition system, whose construction 


depends on the adopted semantics of inconsistency | Calvanese 


et al., 2013b) . In general, the transition systems we con¬ 
sider are of the form (A, T, S, so, abox , =>), where: (i) T is 
a DL-Lite^ TBox; (ii) E is a (possibly infinite) set of states; 
(iii) so € E is the initial state; (iv) abox is a function that, given 
a state s £ E, returns an ABox associated to s; (v) => C E x E 
is a transition relation between pairs of states. 

Following the terminology in iCalvanese et al, 2013bI, we 
call S-KAB a KAB under the standard execution semantics 
of KABs, where inconsistency is naively managed by simply 
rejecting those updates that lead to an inconsistent state. The 
transition system Tj? accounting for the standard execution 
semantics of KAB 1C is then constructed by starting from the 
initial ABox, applying the executable actions in all possible 
ways, and generating the (consistent) successor states by ap¬ 
plying the corresponding updates, then iterating through this 
procedure. As for the semantics of service calls, in line with 
I Calvanese et al. , 2013b) we adopt the deterministic semantics, 
i.e., services return always the same result when called with 
the same inputs. Nondeterministic services can be seamlessly 
added without affecting our technical results. 

To ensure that services behave deterministically, the states 
of the transition system are also equipped with a service call 
map that stores the service calls issued so far, and their cor¬ 
responding results. Technically, a sendee call map is a par¬ 
tial function m : SC —>• A, where SC = {sc(rq,..., v n ) \ 
sc/n £ F and {iq,..., r/„} C A} is the set of (Skolem terms 


representing) service calls. 


2.4 Verification Formalism 


To specify sophisticated temporal properties to be verified over 
KABs, taking into account the system dynamics as well as the 
evolution of data over time, we rely on the pC l \' )[ logic, the 


FO var iant of the /i-calculus defined in [Bag heri Hariri et al. 
2013b . p£ EQL combines the standard temporal operators of 
the //-calculus with EQL queries over the states. FO quantifi¬ 
cation is interpreted with an active domain semantics, i.e., it 
ranges over those individuals that are explicitly present in the 
current ABox, and fully interacts with temporal modalities, 
i.e., it applies across states. The pC EQL syntax is: 

$ := Q | ^<f> | A $2 | | (-)$ | Z | pZ.$ 


where Q is a possibly open EQL query that can make use 
of the distinguished individuals in Ao, Z is a second-order 
variable denoting a predicate (of arity 0), (—)$ indicates the 
existence of a next state where $ holds, and p is the least 
fixpoint operator, parametrized with the free variables of its 
bounding formula. We make use of the following standard 
abbreviations: Va/.T* = —i(3rc.—'IqV'fq = A^$ 2 ), 

[—] ( I> = — 1 (—and uZ.Q = 


For the semantics of p £ EQL , which is given over transi¬ 
tion systems of the form specified in Section 2.3 we refer to 
I Bagheri Hariri et al., 2013bl|. Given a transition system T and 
a closed pC { formula <l», we call model checking verifying 
whether <l» holds in the initial state of T, written T \= <E>. 


3 Golog-KABs and Inconsistency 

In this section, we leverage on the KAB framework (cf. Sec- 
tion |2.3| ) and provide a twofold contribution. On the one hand, 
we enrich KABs with a high-level action language inspired 
by Golog I Levesque et al., 1997]. This allows modelers to 
represents processes much more compactly, and will be instru¬ 
mental for the reductions discussed in Sections [4] and [5] On 
the other hand, we introduce a parametric execution seman¬ 
tics, which elegantly accomodates a plethora of inconsistency- 
aware semantics based on the notion of repair. 

A Golog-KAB (GRAB) is a tuple Q = (T, Ao, T, 6), where 
T, Aq, and F are as in standard KABs, and S is the Golog 
program characterizing the evolution of the GKAB over time, 
using the atomic actions in F. For simplicity, we only consider 
a core fragment] of Golog based on the action language in 
I Calvanese et al., 201 ll, and define a Golog program as: 

S::=s | pick Q(p).a(p) | <5i| S 2 | <5i; <52 | 

if ip then (q else h 2 | while p do 6 


where: (1) e is the empty program-, (2) pick Q(p).a(p) is 
an atomic action invocation guarded by an ECQ Q, such 
that a £ F is applied by non-deterministically substituting 
its parameters p with an answer of Q\ (3) hi 1 6-2 is a non¬ 
deterministic choice between programs; (4) hq is sequenc¬ 
ing-, (5) if p then hi else 82 and while p do 8 are conditional 
and loop constructs, using a boolean ECQ p as condition. 


3 The other Golog constructs, including non-deterministic iteration 
and unrestricted pick, can be simulated with the constructs considered 
here. 
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Execution Semantics. As for normal KABs, the execution 
semantics of a GKAB Q is given in terms of a possibly 
infinite-state transition system Tg, whose states are labelled 
with ABoxes. The states we consider, are tuples of the form 
(A, to, S), where A is an ABox, to a service call map, and 5 a 
program. Together, A and m constitute the data-state, which 
captures the result of the actions executed so far, together with 
the answers returned by service calls issued in the past. In¬ 
stead, 6 is the process-state, which represents the program that 
still needs to be executed from the current data-state. 

We adopt the functional approach by Levesque 119841 in 
defining the semantics of action execution over Q, i.e., we 
assume Q provides two operations: (i) ASK, to answer queries 
over the current KB; (ii) TELL, to update the KB through an 
atomic action. Since we adopt repairs to handle inconsistency, 
the ASK operator corresponds to certain answers computation. 

We proceed now to formally define TELL. Given an action 
invocation pick Q(p).a(p) and an ABox A, we say that 
substitution er of parameters p with individuals in A is legal 
for a in A if ANS (Qa, T, A) is true. If so, we also say that 
aa is executable in A, and we define the sets of atoms to be 
added and deleted by pick Q(p).a(p) with a in A as follows: 


ADD 


DEL 


ota 

A 


— U(Q~-add F+.del F~) inEFF(a) U p eANS(Qo-,T,A) F+ &P 
=u w —*add F+ ,del F~ ) in EFF(a) U p gANS(Qa\T, A) F a P 

In general, ADD^ CT is not a proper set of facts, because it 
could contain (ground) service calls, to be substituted with 
corresponding results. We denote by CALLS (add^ ct ) the set 
of ground service calls in ADD„ CT , and by EVAL(add^ ct ) the 
set of call substitutions with individuals in A, i.e., the set 


{6 | 0 is a total function, 8 : CALLS(add^ ct ) -a A} 

Given two ABoxes A and A! where A is assumed to be 
T -consistent, and two sets F + and F~ of facts, we introduce 
a so-called filter relation to indicate that A 1 is obtained from A 
by adding the F + facts and removing the F~ ones. To account 
for inconsistencies, the filter could drop some additional facts 
when producing A'. Hence, a filter consists of tuples of the 
form ( A , F + , F~, A') satisfying 0 C A' C ((A\F~)U F + ). 
In this light, filter relations provide an abstract mechanism to 
accommodate several inconsistency management approaches. 

We now concretize TELL as follows. Given a GKAB Q and 
a filter /, we define TELL / as the following relation over pairs 
of data-states in 7^: tuple ((A,to), aa, (A 1 ,m')) £ TELL / if 

• a is a legal parameter substitution for a in A, and 

• there exists 8 £ EVAL(add^ ct ) such that: (i) 9 and to 
agree on the common values in their domains (this enforces 
the deterministic semantics for services); (ii) m! = m U 8 \ 
(Hi) (A, add^ ct 0, del^ ct , A') £ f, where add £ a 0 denotes 
the set of facts obtained by applying 8 over the atoms in 
ADD^ ct ; (iv) A' is T-consistent. 

As a last preliminary notion towards the parametric execu¬ 
tion semantics of GKABs, we specify when a state ( A , m , 8 ) is 
considered to be final by its program 8 , written ( A , m, 8 ) £ F. 
This is done by defining the set F of final states as follows: 

1 . (A, m, e) £ F; 

2 . (A, m, 8f8 2 ) £ F if (A, m, 8\) £ F or (A, m, 82) £ F; 

3 . (A, m, < 5 i; 82) £ F if (A, m, < 5 i) € F and (A, m, 82) £ F; 

4 . (A, m, if tp then 81 else 82) £ F 

if ANS(<£, T, A) = true, and (A, m, < 5 i) € F; 


5. (A, m, if p then <5i else 82) £ F 

if ANS(i/>, T, A) = false, and (A, m, 82) £ F; 

6. (A, m, while ip do 8) £ F if ans(</j, T, A) = false; 

7. (A, m, while ip do 8) £ F if ans (p,T,A) = true, and 
(A, m, 8) £ F. 

Now, given a filter relation /, we define the program execution 

relation —A, describing how an atomic action with parame¬ 
ters simultaneously evolves the data- and program-state: 

1. (A,m, pick Q(p).a(p)) (A',m',e ), 

if ((A, m), aa, (A/, m')) £ TELL/; 

2. (A, m, <5i|<5 2 > ^4 (. A',m',8'), 

if (A, m, 5i) > (A', m!, 8') or (A, m, 82) -—4 t^A', m!, 8 

3. (A, m, Si; S 2 ) aa ' f > (A', m', <%; 82 ), 
if (A, m, 81 ) atT ’^y (A', m ', dj); 

A.(A,m,8r,82) a<T ’ f > (. A',m', 8 ' 2 ), 
if (A, m, <5i) £ F, and (A, m, 82) (A', m!, 82); 

5. (A, m, if ip then 5i else 82) aa ’4 (A', m!, 8'f), 

if ANs(<p, T, A) = true, and (A, m, <5i) (a 1 , m ', <5i); 

6. (A, m, if p then 5i else 82 ) a<T ’4 (A', m', 8 ' 2 ), 

if ANS(<p, T, A) = false, and (A, m, 82) °F'- > (A', m!, 82)', 

7. (A, m, while p do 8) atT '4 (A', m', 8'\ while p do 8), 

if ans(^ 3, T, A) = true, and (A, m, 8) (A', m!, 8'). 

Given a GKAB Q = ( T , Aq, T, 5) and a filter relation /, 
we finally define the transition system of Q w.r.t. /, writ¬ 
ten Tg, as (A,T,D,so,abox,=>), where s 0 = 
and S and =4* are defined by simultaneous induction as the 
smallest sets such that so £ S, and if (A, m, S) £ E and 

(A,m, 8 ) q<t ’4 ( A’,m',S'), then ( A',m', 8 ') £ E and 
(A, to, 8 ) => (A', to', 8 '). By suitbably concretizing the filter 
relation, we can obtain a plethora of execution semantics. 


Standard and Inconsistency-Aware Semantics. Given 
a GKAB Q = (T, A (J , I’, <)'), we exploit filter relations to 
define its _standard execution_semantics (reconstructing 
that of [Calvanese et al., 2013b] for normal KABs), and 
three inconsistency-aware semantics that incorporate the 
repair-based approaches reviewed in Section [272] In particular, 
we introduce 4 filter relations fg, fn, fc, ff, as follows. 
Given an ABox A, an atomic action a(p) £ I\ a legal 
parameter substitution a for a in A, and a service call 
evaluation 0 £ eval(add^ ct ), let F + = add ^ a 8 and 


F~ = DEL„ 


'A' = (A\F~)UF+, 


We then have ( A,F + ,F ,A') £ f, where 


A! £ b-rep(T, (A \ F~) U F + ), 
A! = c-rep(T, (A \ F~) U F + ), 
A! = evol(T, A, F + , F~), 


if f = fs 
if f = fs 
if f = fc 
if / = Je and 
F + is T-consistent 


Filter fg gives rise to the standard execution semantics for Q, 
since it just applies the update induced by the ground atomic 
action aa (giving priority to additions over deletions). Filter 
fs gives rise to the b-repair execution semantics for Q, where 
inconsistent ABoxes are repaired by non-deterministically 
picking a b-repair. Filter fc gives rise to the c-repair 
execution semantics for Q, where inconsistent ABoxes are 
repaired by computing their unique c-repair. Filter gives 
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rise to the b-evol execution semantics for G. where for updates 
leading to inconsistent ABoxes, their unique bold-evolution 
is computed. We call the GKABs adopting these semantics 
S-GKABs, B-GKABs, C-GKABs, and E-GKABs, respectively, 
and we group the last three forms of GKABs under the 
umbrella of inconsistency-aware GKABs (I-GKABs). 


Transforming S-KABs to S-GKABs. We close this section 
by showing that our S-GKABs are able to capture normal S- 


KABs in the literature I Bagheri Hariri et al., 2013b Calvanese 
et al., 2013b| . In particular, we show the following. 


Theorem 1. Verification of //A 1 )' - * 1 properties over S-KABs 
can be recast as verification over S-GKABs. 


Proof sketch. We provide a translation rg that, given an S- 
KAB K. = {T, Aq, T, n) with transition system T^, generates 
an S-GKAB t b {K.) = (7’. At). Y. 6 ). Program <5 is obtained 
from n as S = while true do (ai|a 2 | • ■ ■ |om|), where, for 
each condition-action rule Qi(x) K>• oti(x) £ n, we have a* = 
pick Qj(.'e). a !: (.'?). The translation produces a program that 
continues forever to non-deterministically pick an executable 
action with parameters (as specified by n), or stops if no 
action is executable. It can be then proven directly that for 
every pC E £ L property $, r£ |= $ iff T^ {lc) \= □ 


4 Compilation of Inconsistency Management 


This section provides a general account of inconsistency man¬ 
agement in GKABs, proving that all inconsistency-aware vari¬ 
ants introduced in Section[3]can be reduced to S-GKABs. 

Theorem 2. Verification of pC E ^ L properties over I-GKABs 
can be recast as verification over S-GKABs. 


The remainder of this section is devoted to prove this result, 
case by case. Our general strategy is to show that S-GKABs 
are sufficiently expressive to incorporate the repair-based ap¬ 
proaches of Section 2.2 so that an action executed under a 
certain inconsistency semantics can be compiled into a Golog 
program that applies the action with the standard semantics, 
and then explicitly handles the inconsistency, if needed. 

We start by recalling that checking whether a DL-Litej. KB 
(T, A) is inconsistent is FO rewritable, i.e., can be reduced 
to evaluating a boolean query Q^ lsat over A (interpreted as a 
database) I Calvanese et al., 2007b]. To express such queries 
compactly, we make use of the following abbreviations. For 
role R = P~, atom R(x. y) denotes P{y,x). For concept 
B = BP, atom B(x) denotes P{x, _), where stands for 
an anonymous existentially quantified variable. Similarly, for 
B = 3P~, atom B(x) denotes P{_, x). 


In particular, the boolean query Q' t 


is: 


Quns at = V(funct R)GT 3x > V > Z-5u„sat(( funct R),X, y, Z ) V 
V T\=B 1 n^B 2 ^ a '‘ < ?unsat(-®l — ~^B 2 ,x) V 

3x >U-<lmm( R i E ^R 2 ,x,y) 

where: 

• 7unsat((^nct R), x, y, z) = R(x,y)AR{x,z)A^[y = z]\ 

• Csat( s i E ~^B 2l x) = Bxfx) A B 2 (x)-, 

• Qmsnt( R i E -^R 2 ,x,y) = Ri(x, y) A R 2 (x, y). 


4.1 From B-GKABs to S-GKABs 

To encode B-GKABs into S-GKABs, we use a special 
fact M(rep) to distinguish stable states, where an atomic 
action can be applied, from intermediate states used by 
the S-GKABs to incrementally remove inconsistent facts 
from the ABox. Stable/repair states are marked by the ab¬ 
sence/presence of M(rep). To set/unset M (rep), we define set 
F re p = {a+, p 0, ctfepQ} of actions, where a+ p () : {true 
add {M(rep)}}, and af ep () : {true del {M(rep)}}. 

Given a B-GKAB Q = (T, A 0 ,r,(5), we define the set 
Fj of b-repair actions and the set of b-repair atomic 
action invocations as follows. For each functionality assertion 
(funct R) £ T, we include in and respectively: 

• pick 3z.q , l { nsat ((funct R),x, y, z).a F (x, y) £ A{, and 

• a F (x, y) : {R{x, z) A ->[z = y\ del {R(x, z)}} £ Tf 
This invocation repairs an inconsistency related to (funct R) 
by removing all tuples causing the inconsistency, except one. 
For each negative concept inclusion B\ C —B 2 s.t. T \= 
B i C [ B 2 , we include in I'J and A{’ respectively: 

• pick g” sat (Pi E ^B 2 ,x).a Bl (x) £ Aj, and 

• a Bl (x) : {true -w del {Pi(x)}{ £ Tf 

This invocation repairs an inconsistency related to B\ C ~^B 2 
by removing an individual that is both in Bi and B 2 from 
B\. Similarly for negative role inclusions. Given A{ = 
{ai,..., a n }, we then define the b-repair program 
$b = while Q(f nsat do (ai|a 2 | ... |a„), 

Intuitively, Sj iterates while the ABox is inconsistent, and at 
each iteration, non-deterministically picks one of the sources 
of inconsistency, and removes one or more facts causing it. 
Consequently, the loop is guaranteed to terminate, in a state 
that corresponds to one of the b-repairs of the initial ABox. 

With this machinery at hand, we are ready to define a 
translation t b that, given Q, produces S-GKAB t b (G) = 
{T p , Aq, F U U T rep , S'), where only the positive inclusion 
assertions T p of the original TBox T are maintained (guaran¬ 
teeing that t b (G) never encounters inconsistency). Program S' 
is obtained from program <5 of Q by replacing each occurrence 
of an atomic action invocation pick Q(p).a(p) with 

pick Q(p).a{p); pick true.a+ p (); Sf ; pick true.a" p () 
This program concatenates the original action invocation 
with a corresponding “repair” phase. Obviously, this means 
that when an inconsistent ABox is produced, a single transi¬ 
tion in Q corresponds to a sequence of transitions in t b (G). 
Hence, we need to introduce a translation t B that takes a 
formula <t> over G and produces a corresponding for¬ 
mula over t b (G). This is done by first obtaining formula 
<!>' = nnf(<F), where NNF(<1>) denotes the negation normal 
form of $. Then, every subformula of $ of the form {—) 'k 
becomes (—)(— }pZ.({ M(rep) A (— )Z) V (^M(rep) A t B (#))), 
so as to translate a next-state condition over G into reachability 
of the next stable state over t b (G)- Similarly for [—]'I'. 

With these two translations at hand, we can show that 

rf B ^$iffr/ B s (e) Mb($). 

4.2 From C-GKABs to S-GKABs 

Making inconsistency management for C-GKABs explicit 
requires just a single action, which removes all individuals that 
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are involved in some form of inconsistency. Hence, given a 
TBox T, we define a 0-ary c-repair action a£, where Eff(o^) 
is the smallest set containing the following effects: 

• for each assertion (funct R) £ T, 

9unsat(( funct R),x,y,z ) {del {R(x,y),R(x,z)}} 

• for each assertion B\ C ~^B 2 s.t. T \= B i C —iB 2 , 
Csat(- B i E ^B 2 ,x) {del {B 1 (x),B 2 (x)}}; 

• similarly for negative role inclusions. 

Notice that all effects are guarded by queries that extract only 
individuals involved in an inconsistency. Hence, other facts 
are kept unaltered, which also means that ce£ is a no-op when 
applied over a T-consistent ABox. We define a translation 
t q that, given a C-GKAB Q = (T. Aq, h. 8 ), generates an 
S-GKAB t c {G) = (T p , Aq, r U {a%},5'), which, as for B- 
GKABs, only maintains positive inclusion assertions of T. 
Program S' is obtained from <5 by replacing each occurrence 
of an atomic action invocation of the form pick Q(p).a(p) 
with pick Q{p).a{p)-, pick true.o Y T (). This attests that each 
transition in Q corresponds to a sequence of two transitions in 
tc{G)- the first mimics the action execution, while the second 
computes the c-repair of the obtained ABox. 

A //£ l {' 11 property $ over Q can then be recast as a corre¬ 
sponding property over tc{G) that substitutes each subformula 
(—)\D of <f> with (—)(—)\h (similarly for (-]$). By denoting this 
translation with t dup , we get T S Q G \= $ iff r/® (6) |= t dup {§). 

4.3 From E-GKABs to S-GKABs 

Differently from the case of B-GKABs and C-GKABs, E- 
GKABs pose two challenges: (i) when applying an atomic 
action (and managing the possibly arising inconsistency) it is 
necessary to distinguish those facts that are newly introduced 
by the action from those already present in the system; (ii) the 
evolution semantics can be applied only if the facts to be added 
are consistent with the TBox, and hence an additional check 
is required to abort the action execution if this is not the case. 
To this aim, given a TBox T, we duplicate concepts and roles 
in T, introducing a fresh concept name TV" for every concept 
name TV in T (similarly for roles). The key idea is to insert 
those individuals that are added to TV also in TV”, so as to trace 
that they are part of the update. 

The first issue described above is then tackled by compiling 
the bold evolution semantics into a 0-ary evolution action aj, 
where EFF(aJ) is the smallest set of effects containing: 

• for each assertion (funct R) £ T, 
3z.ql asat ((functR),x,y,z)AR n (x,y) {del {R(x, 2 )}} 

• for each assertion B\ C ~^Bo s.t. T |= B\ C -*B 2 , 

Csat(£i E B 2 , x) A B?(x) - {del {B 2 (x)}}- 

• similarly for negative role inclusion assertions; 

• for each concept name TV, N n (x) {del {TV"(a;)}}; 

• similarly for role names. 

These effects mirror those of Section [4~2l with the difference 
that they asymmetrically remove old facts when inconsis¬ 
tency arises. The last two bullets guarantee that the con¬ 
tent of concept and role names tracking the newly added 
facts are flushed. We then define a translation te that, 
given an E-GKAB G = {T, Aq, V. 8), generates an S-GKAB 
te(G) = {T p U T n , A 0 , T' U {aj}, S'), where: 


• T" is obtained from T by renaming each concept name TV 
in T into TV” (similarly for roles). In this way, the original 
concepts/roles are only subject in te{G ) to the positive 
inclusion assertions of T, while concepts/roles tracking 
newly inserted facts are subject also to negative constraints. 
This blocks the generation of the successor state when the 
facts to be added to the current ABox are T-inconsistent. 

• r' is obtained by translating each action in a(p) £ 
r into action a'(p), such that for each effect Q 
add F+, del F - £ EFF(a), we have Q add F + U 
F + ",delF _ £ EFF(a') where F + ” duplicates F + by 
using the vocabulary for newly introduced facts. 

• S' is obtained from S by replacing each action invocation 
pick Q(p).a(p) with pick Q(p).a'(p); pick true. <£()■ 


we obtain that Y^ B |= $ iff |= t dup ($). 


By exploiting the same translation used in Section 


4.2 


5 From Golog to Standard KABs 


We close our tour by showing that S-GKABs can be compiled 


into the normal S-KABs of [Bagheri Hariri et ah, 2013b 
Calvanese et al., 2013b]. 


Theorem 3. Verification of pC E ^ L properties over S-GKABs 
can be recast as verification over S-KABs. 


Proof sketch. We introduce a translation from S-GKABs to 
S-KABs, and from properties over S-GKABs to cor¬ 

responding properties over S-KABs, in such a way that ver¬ 
ification in the first setting can be reduced to verification in 
the second setting. The translation is quite involved, for space 
reasons, we refer to Section |C2| in the Appendix for details. □ 

From Theorems □ and [3] we obtain that S-KABs and S- 
GKABs are expressively equivalent. From Theorems [2] and [3] 
we get our second major result: inconsistency-management 
can be compiled into an S-KAB by concatenating the two 
translations from I-GKABs to S-GKABs, and then to S-KABs. 

Theorem 4. Verification of jiC l ^ L properties over I-GKABs 
can be recast as verification over S-KABs. 


Even more interesting is the fact that the semantic prop- 


erty of run-boundedness 

Bagheri Hariri et al., 2013a 

Bagheri Hariri et al., 2013b 

is preserved by all translations 


presented in this paper. Intuitively, run-boundedness requires 
that every run of the system cumulatively encounters at most a 
bounded number of individuals. Unboundedly many individu¬ 
als can still be present in the overall system, provided that they 
do not accumulate in the same run. Thanks to the preservation 
of run-boundedness, and to the compilation of I-GKABs into 
S-KABs, we get: 

Theorem 5. Verification of properties over run- 

bounded I-GKABs is decidable, and reducible to standard 
p,-calculus finite-state model checking. 


Proof sketch. The claim follows by combining the fact that 
all translations preserve run-boundedness, Theorem|4] and the 


results in I Bagheri Hariri et al., 2013a[ Bagheri Hariri et al. 
2013b I for run-bounded S-KABs. □ 


6 

















6 Conclusion 

We introduced GKABs, which extend KABs with Golog- 
inspired high-level programs, and provided a parametric ex¬ 
ecution semantics supporting an elegant treatment of incon¬ 
sistency. We have shown that verification of rich temporal 
properties over (inconsistency-aware) GKABs can be recast 
as verification over standard KABs, by encoding the seman¬ 
tics of inconsistency in terms of Golog programs and specific 
inconsistency-management actions, and Golog programs into 
standard KAB condition-action rules. An overview of our re¬ 
ductions is depicted below. Our approach is very general, and 
can be seamlessly extended to account for other mechanisms 
for handling inconsistency, and more in general data cleaning. 

B-GKABs C-GKABs E GKABs 

S-GKABs 1—i S-KABs 
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A Some Additional Basic Notions and 
Notation Conventions 

Given a function /, we often write [a -A b] when /(a) = b 
(i.e., / maps a to b). We write DOM(/) to denote the domain 
of/. 

Given a substitution a, we write x/c £ a if <j(x) = c, i.e., 
<7 maps x into c G A (or sometimes we also say a substitutes 
x with c G A). We write (t[x/c\ to denote a new substitution 
obtained from a such that cr[x/c\(x) = c and cr[x/c\(y) = 
cr(y) (for y x). 

We call the set of concept and role names that appear in 
TBox T a vocabulary ofTBox T, denoted by VOC(T). W.l.o.g. 
given a TBox T, we assume that VOC(T) contains all possi¬ 
ble concept and role names. Notice that we can simply add 
an assertion TV C TV (resp. P C P) into the TBox T in 
order to add a concept name TV (resp. role name P) inside 
VOC(T) such that VOC(T) contains all possible concept and 
role names, and without changing the expected set of models 
of the TBox T (hence, preserving the deductive closures of T). 
Moreover, we call an ABox A is over VOC(T) if it consists of 
ABox assertions of the form either TV(oi) or P(oi, 02 ) where 
TV, P G VOC(T). 

We now define some abbreviations for ABox assertions that 
we will use later in order to have a compact presentation. 

Definition 6 (Abbreviations for ABox assertion). We define 
some notations to compactly express various ABox assertions 
as follows: 

• Given a TBox assertion B C B\ or B C -//, an asser¬ 
tion B(c ) denotes 

- TV(c) if f? = TV, 

- P{c,d) if B = 3P, 

- P(c',c) if B = 3P~, 
where V’ is a constant; 

• Given a TBox assertion R . C R\ or R III -R\ , an asser¬ 
tion R(ci, C 2 ) denotes 

- P(ci, c 2 ) if R = P, 

- P(c 2 , Ci) if R = P~. 

■ 

Given a Golog program 6 we define the notion of sub¬ 
programs of S as follows. 

Definition 7 (Sub-program). Given a program S, we define 
the notion of a sub-program of 6 inductively as follows: 

• 5 is a sub-program of 6 , 

• If S is of the form Si \ 62 , <5i; S 2 , or if p then <5i else 82 , 
then 

- <5 X and 82 both are sub-programs of 8 , 

- each sub-program of <5-| is a sub-program of 8 , 

- each sub-program of 82 is a sub-program of 8 , 

• If 8 is of the form while p do 8 \ 

- <5 X is a sub-program of 8 , 

- each sub-program of <5-| is a sub-program of 8 , 

■ 

We say a program S' occurs in S if S' is a sub-program of S. 

Given an action invocation pick Q(p).a(p) and an ABox 
A, when we have a substitution <r is legal for a in A, we often 
also say that a is a legal parameter assignment for a in A. 


We now proceed to define the notion of a program execu¬ 
tion trace as well as the notion when such a trace is called 
terminating. Moreover, we also define the notion of program 
execution result in the case of terminating program execution 
trace. 

Definition 8 (Program Execution Trace). Let Tl = 
(A, T, E, So, abox, =>} be the transition system of a GKAB 
Q = (T, Aq, T, S). Given a state {Ai, mi, £ 1 ), a program exe¬ 
cution trace 7 r induced by 8 on {A\, mi, <5i) w.r.t. filter f is a 
(possibly infinite) sequence of states of the form 

7T = {A u mi, 81 ) -A (A 2 , to 2 , S 2 ) -A (A 3 , to 3 , 83 ) -A • • • 

s.t. {Ai, mi, Si) °- zCr, ’- f > {Ai + i,m i+ i, 8 i+ i) for i >1. ■ 

Definition 9 (Terminating Program Execution Trace). Let 

Tg = (A, T, E, So, abox, =>) be the transition system of a 
GKAB Q = {T, Aq, T, 8 ). Given a state {A\,mx, Sf), and a 
program execution trace 7 r induced by (5i on {A\, mi, S\), we 
call 7T terminating if 

(1) {Ai, mi, 81 ) is a final state, or 

(2) if {Ai,mi, 8 i) is not a final state, then there exists a state 
{An, m n , 8 n ) such that we have the following finite pro¬ 
gram execution trace 

7T = {Ai,mi, 8 i) -A (A 2 , m 2 , 8 2 ) -A-> {A n ,m n , 8 n ), 

where (A,, m 7 ;, Si) (for i G {1,..., n — 1}) are not final 
states, and {A n , m n , S n ) is a final state. 

In the situation (1) (resp. (2)), we call the ABox Ai (resp. 
A n ) the result of executing 5 X on {Ai,mi,5i) w.r.t. filter /. 
Additionally, we also say that 7r is the program execution trace 
that produces Ai (resp. A n ). ■ 

We write RES(Ai, mi, c>i) to denote the set of all ABoxes 
that is the result of executing 81 on RES ( Ai , m x , £1 ) w.r.t. filter 
/. Note that given a state {Ai,mi, 8 i), it is possible to have 
several terminating program execution traces. Intuitively, a 
program execution trace is a sequence of states which captures 
the computation of the program as well as the evolution of the 
system states by the program. Additionally, it is terminating if 
at some point it reaches a final state. 

For a technical reason, we also reserve some fresh concept 
names Flag, Noop and State (i.e., they are outside of any 
TBox vocabulary), and they are not allowed to be used in any 
temporal properties (i.e., in E X QL or ^Ca formulas). We call 
them special marker concept names. Additionally, we make 
use the constants in Ao to populate them. We call special 
marker an ABox assertion that is obtained by applying either 
Flag, Noop or State to a constant in A 0 . Additionally, we call 
flag a special marker formed by applying either concept name 
Flag or Noop to a constant in Ao- Later on, we use flags as 
markers to impose a certain sequence of action executions, 
and we use a special marker State(femp) (where temp G Ao) 
to mark an intermediate state. 

A.l Inconsistency Management Related Notions 

In this section we introduce some notions related to inconsis¬ 
tency. Below we introduce the notion of negative inclusion 
assertion (resp. functionality assertions) violation. 



Definition 10 (Violation of a Negative Inclusion Assertion). 
Let (T, A) be a KB, and T |= B 1 C B 2 . We say 
Bi C —li ‘2 is violated if there exists a constant c such that 
{.Bi(c), B 2 (c)} C A. In this situation, we also say that Bi(c) 
(resp. B 2 (c)) violates B 1 C —/^ 2 - Similarly for roles. ■ 

Definition 11 (Violation of a Functionality Assertion). Let 
(T, A) be a KB, and (funct f?) £ T. We say (funct f?) 
is violated if there exists constants c, ci, C 2 such that 
{f?(c, Ci), f?(c, C 2 )} c A and ci 7 ^ C 2 . In this situation, we 
also say that R(c, ci) (resp. R(c, C 2 )) violates (funct R). ■ 

Next, we define the notion of a set of inconsistent ABox 
assertions as follows. 

Definition 12 (Set of Inconsistent ABox Assertions). Given 
a KB (T, A), we define the set inc(A) containing all ABox 
assertions that participate in the inconsistencies w.r.t. T as the 
smallest set satisfying the following: 

1. For each negative inclusion assertion B\ C — /j 2 s.t. 
T \= Bi C ~^B 2 , we have Bi(c) £ INC(A), if Bi(c) 
violates B\ L - 1 .B 2 , 

2. For each negative inclusion assertion R\ C s.t. T |= 

Ri C ~^R 2 , we have l? 1 (c 1 , c 2 ) £ INC(A) if c 2 ) 

violates C ~^R 2 , 

3. For each functional assertion (funct R) £ T, we have 
i?(ci, C 2 ) € INC(A), if f?(ci,c 2 ) violates (funct f?). 


Lemma 13. Given a TBox T and an ABox A, we have 
|lNC(A)| = 0 if and only if A is T-consistent. 


Proof Trivially follows from the definition. Since there is 
no ABox assertion violating any functionality or negative 
inclusion assertions. □ 

A.2 History Preserving //-calculus (//L 1 ^ 1 ') 

This section briefly explains the history pres erving //-calculus 
(/i£^ l ) (defined in iBagheri Hariri et al., 2013bI) as an addi¬ 
tional explanation w.r.t. the explanation in Section [2A| 

The semantics of /i£ EQL formulae is defined over transition 
systems T = (A, T, E, so, abox, =>). Since //£ EQL contains 
formulae with both individual and predicate free variables, 
given a transition system T, we introduce: 

1. An individual variable valuation v, i.e., a mapping from 
individual variables x to A. 

2. A predicate variable valuation V, i.e., a mapping from the 
predicate variables Z to a subset of E. 

Given an individual variable valuation v, we write x/c £ v 
if v(x) = c, i.e., v maps x into c £ A (or sometimes we also 
say v substitutes x with c £ A). We write v[x/c\ to denote a 
new individual variable valuation obtained from v such that 
v[x/c\(x) = c and v[x/c](y) = v(y) (for y x). We use 
similar notation for predicate variable valuations. 

We assign meaning to //£ EQL formulas by associating to 
T, v and V an extension function which maps //£ EQL 

formulas to subsets of E. The extension function (•) 


v,V 


IS 


defined inductively as follows: 

(Q)vV = {s S | ANS(Q/),T, abox(s)) = true} 
(3= {s £ E | 3d<i £ ADOM(a&ox(s)) 
and s £ {®) T v[x/d] y} 

(Z)l v = V(Z) C E 

($1 A $2)t v = n (* 2 )l v 

«->%y = {s e E I 3s'. a =* s' and s' £ ($)^ y | 

= f \{£QX\(*)l V[z/e] C£} 

Beside the usual FOL abbreviations, we also make use 
of the following ones: f-]<h = -i(—)(->$) and uZA> = 
^p,Z.^Q[Z/^Z], Here, Qv stands for the query obtained 
from Q by substituting its free variables according to v. When 
is a closed formula, (<b)3V ^ oes not depend on v or V, 
and we denote the extension of <I) simply by (*I ) ) r . A closed 
formula <1» holds in a state s £ E if s £ ( < l ) ) r . In this case, 
we write T, s |= $. A closed formula $ holds in T, briefly T 
satisfies d>, if T, sq \= < 1 ) (In this situation we write T \= $). 
Given a GKAB Q, and a //£ EQL property <1». let Tg be the 
transition system of Q , we say Q satisfies <I> if Tg satisfies $. 


A.3 S-KABs Execution Semantics 

As we need later in the proof, here we briefly review the ex¬ 
ecution semantics of S-KAB that we consider as describcd 
in the litera ture [Bagheri Hariri et al., 2013b, Calvanese et 
al., 2013bI by also combining the framework with t he ac¬ 
tion specification formalism in [Montali et al., 20141. The 
execution semantics of an S-KAB is defined in terms of a 
possibly infinite-state transition system. Formally, given an 
S-KAB K, = (T, Ao,r, n), we define its semantics by the 
transition system X/? = (A, T, E, s 0 , abox , =>), where: (i) T 
is a DL-Litej 1 TBox; (ii) E is a (possibly infinite) set of 
states; (Hi) So £ E is the initial state; (iv) abox is a function 
that, given a state s £ E, returns an ABox associated to s; 
(v) =>C Ex E is a transition relation between pairs of states. 
Intuitively, the transitions system X/? S-KAB 1C captures all 
possible evolutions of the system by the actions in accordance 
with the available condition-action rules. Each state s £ E 
of the transition system X/? is a tuple (A, m), where A is an 
ABox and to is a service call map. 

The semantics of an action execution is as follows: Given 
a state s = (A, to), let a £ T be an action of the form a(p) : 
{ei,..., e m } with e, = Q(x) add F + . del F~, and let cr 
be a parameter substitution for p with values taken from A. 
We say that a is executable in A with a parameter substitution 
a, if there exists a condition-action rule Q(x) i-a a(x) £ n 
s.t. ANS(Qer, T, A) is true. In that case we call a a legal 
parameter assignment for a.The result of the application of a 
to an ABox A using a parameter substitution a is captured by 
the following function: 

DO (T,A,aa)=(A \ U ei i„ E FF(a) U peA Ns (Q*,T,A) F ~ a P) 

U (u ei inEFF(a) UpeANS(Q ct,T,A) a p) 

where a = Q(x) —> add F + . del F~ 
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Intuitively, the result of the evaluation of a is obtained by 
first deleting from A the assertions that is obtained from the 
grounding of the facts in F~ and then adds the new assertions 
that is obtained from the grounding of the facts in F + . The 
grounding of the facts in F + and F~ are obtained from all the 
certain answers of the query Q(x) over (T, A). 

The result of DO (T, A, aa) is in general not a proper ABox, 
because it could contain (ground) Skolem terms, attesting 
that in order to produce the ABox, some service calls have 
to be issued. We denote by CALLS(do(T, A, aa)) the set of 
such ground service calls, and by EVAL(T, A, aa) the set of 
substitutions that replace such calls with concrete values taken 
from A. Specifically, EVAL(T, A, aa) is defined as 

EVAL(T, A, aa) = {8 \ 8 is a total function 

8 : CALLS(do(T, A, aa)) -A A}. 

With all these notions in place, we can now recall the exe¬ 
cution semantics of a KAB K = ( T , Ao, T, II). To do so, we 
first introduce a transition relation EXEC/c that connects pairs 
of ABoxes and service call maps due to action execution. In 
particular, ((A, m),aa, (A ', m')) £ EXEC/c if the following 
holds: 

1. a is executable in A with parameter substitution a\ 

2. there exists 8 £ EVAL(T, A, aa) s.t. 8 and m “agree” on 
the common values in their domains (in order to realize 
the deterministic service call semantics); 

3. A' = DO (T,A,aa)0; 

4. to' = m U 8 (i.e., updating the history of issued service 
calls). 

For more intuitive notation, we write ( A , to) (A', to') to 
denote (( A,m),aa, (A', to')) £ EXECic- 

The transition system 7)? of K, is then defined as 

(A, T, E, s 0 , abox, =>) where 

• s 0 = (A o ,0), and 

• E and => are defined by simultaneous induction as the 
smallest sets satisfying the following properties: 

(i) so £ E; 

( ii) if (A, m) £ E, then for all actions a £ T, for 
all substitutions a for the parameters of a and for 

all (A',m') s.t. (A,to) -^4 ( A',m ') and A' is 
T-consistent, we have (A',m') £ E, (A, to) => 
(A', to'). 

A run of T/c is a (possibly infinite) sequence soSi • • ■ of states 
of Tic such that s,; => Sj+i, for all i > 0 . 

B From S-KABs to S-GKABs 

This section is devoted to present the proof of Theorem [I] 
The core idea is to show that our translation t$ transforms 
S-KABs into S-GKABs such that their transition systems are 
“equal” (in the sense that they have the same structure and each 
corresponding state contains the same ABox and service call 
map). As a consequence, they should satisfy the same 
formulas. 

Technically, to formalize the notion of “equality” between 
transition systems, we introduce the notion of E-Bisimulation. 
Furthermore, we show that two E-bisimilar transition systems 
can not be distinguished by jiC l \ :>[ properties. Then, to pro¬ 
vide the proof of Theorem[I]we simply need to show that t$ 


transforms S-KABs into S-GKABs such that their transition 
systems are E-bisimilar. 

B.l E-Bisimulation 

We now define the notion of E-Bisimulation and show that two 
E-bisimilar transition systems can not be distinguished by a 
fxC^ L formula. 

Definition 14 (E-Bisimulation). 

Let Ti = (A, T, E 1; s 0 i, aboxi, =>i) and T 2 = 

(A, T, E 2 , S 02 , abox 2 , => 2 ) be transition systems, with 
ADOM(a&oati(soi)) C A and ADOM(a 6 o:r 2 (so 2 )) C A. An 
E-Bisimulation between 7) and T 2 is a relation B C Ei x E 2 
such that (si, s 2 ) £ B implies that: 

1 . aboxi(si) = abox 2 {s 2 ) 

2 . for each s\ , if si =>1 .s) then there exist s' 2 with s 2 => 2 
s 2 such that (s^s^) £ B. 

3. for each s 2 , if s 2 => 2 s 2 then there exists with si =>1 
s), such that (s' 1; s' 2 ) £ B. 

■ 

Let T\ = (A, T, E 1; s 0 i, aboxi, => 1 ) and T 2 = 

(A, T, E 2 , S 02 , abox 2 ,^r 2 ) be transition systems, a state si £ 
Ei is E-bisimilar to s 2 £ E 2 , written Si ~ E s 2 , if there 
exists an E-Bisimulation B between 7) and T 2 such that 
(s 1 , s 2 ) £ B. The transition system 7\ is E-bisimilar to T 2 , 
written 7) ~ E T 2 , if there exists an E-Bisimulation B between 
Ti and T 2 such that (s 0 i, s 02 ) £ B. 

Lemma 15. Consider two transition systems 
Ti = (A, T, Ei, soi, aboxi, => 1 ) and T 2 = 

(A, T, E 2 , S 02 , abox 2 , => 2 ) such that Ti ~ E T 2 . For 
every closed formula $, we have: 

Ti |= 4> if and only ifT 2 |= $. 

Proof. The claim easily follows since two E-bisimilar transi¬ 
tion systems are essentially equal in terms of the structure and 
the ABoxes that are contained in each bisimilar state. □ 

B.2 Reducing the Verification of S-KABs to 
S-GKABs 

To reduce the verification of /y£ 1 ) <-IL over S-KABs as verifi¬ 
cation over S-GKABs, in this subsection we show that the 
transition system of an S-KAB and the transition system of its 
corresponding S-GKAB are E-bisimilar. Then, by using the 
result from the previous subsection we can easily recast the 
verification problem and hence achieve our purpose. 

Lemma 16. Let K, be an S-KAB with transition system Yy)~, 
and let rs(/C) be an S-GKAB with transition system T’/f)^ 
obtain through t$. Consider a state ( Ak,nrik) ofT ^ and a 
state ( A g ,m g ,6 g ) ofTIf A k = A g , and m k = m g , 
then (A k ,m k ) ~ E ( A g ,m g ,S g ). 

Proof Let 

1. K. = (T, A 0 ,r,II), and 

r« = (A,T,E fe ,s ok , abox k ,=> k ), 

2. t s (/C) = (T, A 0 , T, <5), and 

^'rs(tc ) = E g , sogi aboXg , => s ). 
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To prove the lemma, we show that, for every state (A' k , m! k ) 
s.t. (Ak, nik) =>k {A' k ,m' k }, there exists a state (A g , m' g , 5 g ) 
s.t.: 

1 . ( Ag,m g: Sg) =>g (A g , ITl. g , 5 g ), 

2. A’ k = A' g ; 

3. m' k = m' g . 

By definition of Tj?, if (Ak,mk) => (. A' k ,m k ), then there 
exist 

1. a condition action rule Q{p) K>• a(p), 

2. an action a £ T with parameters p, 

3. an parameter substitution a , and 

4. a substitution 9. 

such that (i)9 £ EVAL(T, Ak, act) and agrees with mk, (ii) a 
is executable in state Ak with a parameter substitution a, 
(iii) A' k = do(T, Ak, aa)8, and (iv) m' k = mk U 9. 

Now, since <5 = while true do (ai|d 2 | • ■ • |a|n|)> and each 
a, is an action invocation obtained from a condition-action 
rule in II, then there exists an action invocation «, such that 
at = pick Q(x).a(x). Since Ak = A g , and mk = m g , 
by considering how a transition is created in the transition 
system of S-GKABs, it is easy to see that there exists a state 

(A’g, m’g, S'g) SUCll ^t TO ff , ^ ^g, 77^, ^), ^g = 

A' k , and m' g = m' k . Thus, the claim is proven. □ 

Lemma 17. Given an S-KAB 1C, we have Tj? ~ E 


1. We define a special bisimulation relation between two 
transition system namely jumping bisimulation. 

2. We define a generic translation tj that takes a //£ I 1 < ’ ,L 
formula $ in Negative Normal Form (NNF) as an input 
and produces a pC E j L formula tj(t b). 

3. We show that two jumping bisimilar transition system 
can not be distinguished by any pC E ^ L formula (in NNF) 
modulo the translation tj. 

4. We define a generic translation rg, that given an S-GKAB 
Q, produces an S-KAB tq (Q). The core idea of this 
translation is to transform the given program S and the set 
of actions in S-GKAB Q into a process (a set of condition- 
action rules) and a set of S-KAB actions, such that all 
possible sequence of action executions that is enforced 
by <5 can be mimicked by the process in S-KAB (which 
determines all possible sequence of action executions in 
S-KAB). 

5. We show that the transition system of a GKAB Q and 
the transition system of its corresponding S-KAB rg(Q) 
(obtained through translation rg) are bisimilar w.r.t. the 
jumping bisimulation relation. 

6. Making use all of the ingredients above, we finally in 
the end show that a GKAB Q satisfies a certain pC E ^ L 
formula $ if and only if its corresponding S-KAB Tg(Q) 
satisfies a pC E ^ L formula tj (<t>). 


Proof. Let 

1 . K = (T,A 0 ,r,II), and 

= (A, T, E fc , s 0 fc, aboxk, = 

2. TsifC) = (T, A 0 ,F, 5), and 

. aboxn 


<=)> 


T 


fs 


L T S (K) — SQg, (lbOXg,^g). 

We have that sofc = (Aq, mk) and sqo = {Ao, m g , S) where 


mfc = m g = 0. Hence, by Lemma 16 we have sofc ~e s o g 


Therefore, by the definition of E-bisimulation between two 
transition systems, we have Tj? ~ E T 


fs 
rs(K.y 


□ 


Having Lemma ITT] in hand, we can easily show that the 
verification of pC j ’ 1 over S-KABs can be reduced to the 
verification of over S-GKABs by also making use the 

result from the previous subsection. 

Theorem 18. Given an S-KAB 1C and a closed pC^ 1 ' formula 
$, we have T| |= $ iffT^ (JC) \= $. 


C.l Jumping Bisimulation (J-Bisimulation) 

As a start towards defining the notion of J-Bisimulation, we 
introduce the notion of equality modulo flag between two 
ABoxes as follows: 

Definition 19 (Equal Modulo Special Markers). Given a TBox 
T, two ABoxes A\ and A-j over VOC(T) that might contain 
special markers, we say A± equal to A 2 modulo special mark¬ 
ers, written A\ ~ A-> (or equivalently A 2 — /1|), if the 
following hold: 

• For each concept name N £ VOC(T) (i.e., N is not a spe¬ 
cial marker concept name), we have a concept assertion 
N(c) £ A\ if and only if a concept assertion N(c) £ Ao., 

• For each role name P £ VOC(T), we have a role as¬ 
sertion P(.C\, cf) £ A 1 if and only if a role assertion 
P(ci,c 2 ) £ A 2 . 

■ 

Lemma 20. A\ = A 2 implies Ai ~ A 2 . 


Proof. By Lemma fl7| we have that Tj? ~ E Hence, 

the claim is directly follows from Lemma[l5] □ 


Proof of Theorem 1. 

The proof of is simply obtained since we can translate S-KABs 


into S-GKABs using rg and then by making use Theorem 18 


we basically reduce the verification of S-KABs into S-GKABs. 


Proof. Trivially true from the definition of A 1 ~ A 2 above 
(see Definition [l9|. □ 

Lemma 21. Given a GKAB Q = ( T , A, h F, S), two ABoxes 
A\ and A 2 over VOC(T) which might contain special markers, 
and an ECQ Q over ( T, A 0 ) which does not contain any 
atoms whose predicates are special marker concept names. If 
Ai ~ A 2 , then ans(< 2, T, Ai) = ANS(Q, T, A 2 ). 


C From S-GKABs to S-KABs 

We dedicate this section to show that the verification of 
properties over S-GKABs can be recast as verification over 
S-KABs which essentially exhibit the proof of Theorem[3] To 
this aim, technically we do the following: 


Proof. Trivially hold since without considering special mark¬ 
ers, we have A\ = A 2 (i.e., we have a concept assertion 
N(c) £ A-[ if and only if a concept assertion N(c) £ A 2 , 
and we have a role assertion P(c\,c 2 ) £ A 1 if and only if 
a role assertion P(ci, C 2 ) £ A 2 ). Hence ANS(Q, T, A\) = 
ans(<2,T, A 2 ). □ 
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We now proceed to define the notion of jumping bisimula¬ 
tion as follows. 

Definition 22 (Jumping Bisimulation (J-Bisimulation)). 

Let Ti = (A,T, Ei,soi,a 6 oxi,=»i) and T 2 = 

(A, T, E 2 , S 02 , abox 2: => 2 ) be transition systems, with 
ADOM(a 6 oa;i(soi)) C A and ADOM(a 6 oa: 2 (so 2 )) C A. A 
jumping bisimulation (J-Bisimulation) between T\ and T 2 is a 
relation B C Sj x S 2 such that (si, s 2 ) £ B implies that: 

1 . aboxi(si) ~ abox 2 (s 2 ) 

2 . for each s^, if si .s'-, then there exist s' 2 , 

(for n > 0 ) with 

S 2 =^2 tl = **2 • • • = **2 tn = ^2 s 2 

such that (s \, s' 2 ) £ B, State(temp) abox 2 (s 2 ) and 
Stat e(temp) £ abox 2 {ti) for i £ { 1 ,..., n}. 

3. for each Sj, if 

S 2 =>2 t\ => 2 ■ ■ ■ =>2 t n => 2 s ' 2 

(for n > 0) with Stat e(temp) £ abox 2 (ti) for i £ 
{1, ...,n} and Stat e(temp) abox 2 {s' 2 ), then there 
exists s' with si =>1 s'|, such that (s' 1; s 2 ) £ B. 


Let Ti = (A,T, Ei,s 0 i,a 6 oxi,=>i) and T 2 = 

(A, T, E 2 , so 2 , abox 2 , => 2 ) be transition systems, a state si £ 
Ei is J-bisimilar to S 2 £ E 2 , written Si ~j s 2 , if there ex¬ 
ists a jumping bisimulation B between T\ and T 2 such that 
(si,S 2 ) £ B. A transition system Tj is J-bisimilar to T 2 , 
written T\ ~j T 2 , if there exists a jumping bisimulation B 
between 7\ and T 2 such that (soi, sq 2 ) £ B. 

Now, we advance further to show that two J-bisimilar tran¬ 
sition systems can not be distinguished by any pC^ L formula 
(in NNF) modulo a translation tj that is defined as follows: 

Definition 23 (Translation tj). We define a translation tj 
that transforms an arbitrary pC E formula $ (in NNF) into 
another /i£ E 4 yL formula $' inductively by recurring over the 
structure of $ as follows: 


• tj(Q) — 

• tj hQ) = 

• tj(Qx.$) = 

• tj(<l>l o $ 2 ) = 

• tji©Zs b) = 

•tj{{-)$) = 

= 


Q 

~>Q 

Qx.tj(<&) 

tj{<&i)°tj(<& 2 ) 

©Z.tj{<S>) 

(—)pZ.( (State (temp) A (—)Z)V 

(-iState(terop) A ij($))) 
(State {temp) A j-jZ A (—)T)V 
(-iState(temp) A ij($))) 


where: 

• o is a binary operator (V, A, -A, or ■£>■), 

• © is least (p) or greatest (a) fix-point operator, 

• Q is forall (V) or existential (3) quantifier. 


Lemma 24. Consider two transition systems 
Ti = (A, T, Ei, soil aboxi, => 1 ) and T 2 = 

(A, T, E 2 , S 02 , abox 2 , => 2 ), with ADOM(a&oa:i(soi)) C A 
and ADOM(a&oa: 2 (so 2 )) Q A. Consider two states si £ Si 
and s 2 £ S 2 such that Si s 2 . Then for every formula <J> 


of pC E ± E (in negation normal form), and every valuations 
Vi and v 2 that assign to each of its free variables a constant 
Ci £ ADOM(a 6 oxi(si)) and c 2 £ ADOM(abox 2 (s 2 )), such 
that ci = c 2 , we have that 

Ti, si j= <f>t>i if and only ifT 2 , S 2 |= tj(&)v 2 . 

Proof The proof is then organized in three parts: 

(1) We prove the claim for formulae of C E ^ E , obtained from 
pCf L by dropping the predicate variables and the fixpoint 
constructs. T EQL corresponds to a first-order variant of the 
Hennessy Milner logic, and its semantics does not depend 
on the second-order valuation. 

(2) We extend the results to the infinitary logic obtained by 
extending T EQL with arbitrary countable disjunction. 

(3) We recall that fixpoints can be translated into this infinitary 
logic, thus proving that the theorem holds for pC E ^ L . 

Proof for T EQL . We proceed by induction on the structure of 
< 1 », without considering the case of predicate variable and of 
fixpoint constructs, which are not part of £ EQL . 

Base case: 

(<f> = Q). Since Si s 2 , we have afeoa:i(si) ~ abox 2 {s 2 ). 
Hence, since we also restrict that any /iT eql for¬ 
mulas does not use special marker concept names, 
by Lemma [27] we have ANS(Q,T, aboxi(si)) = 
ANS(Q,T, aoox 2 (s 2 )). Hence, since tj{Q) = Q, for 
every valuations Vi and v 2 that assign to each of its 
free variables a constant ci £ ADOM(a 6 oxi(si)) and 
c 2 £ ADOM(abox 2 (s 2 )), such that ci = c 2 , we have 

Ti, si |= Qv 1 if and only if T 2 , s 2 \= tj(Q)v 2 . 

(<J> = —Q). Similar to the previous case. 

Inductive step: 

(<f> = \&i A T , 2). Ti,si |= (’Ll A ^2)^1 if and only if ei¬ 
ther Ti,si |= Vl/i^i or Ti,si (= t& 2 v\. By induc¬ 
tion hypothesis, we have for every valuations vi and 
v 2 that assign to each of its free variables a constant 
ci £ ADOM(a6oa;i(si)) and C 2 £ ADOM(abox 2 (s 2 )), 
such that ci = C 2 , we have 

- Ti, si |= \Di?;i if and only if T 2 , s 2 |= tj(\l>i)v 2 , 
and also 

- Ti,si \=^ 2 vi if and only if T 2 , s 2 \= tj('S? 2 )v 2 - 
Hence, Ti,si |= T|iq and Ti,si |= ^t 2 Vi if and only 
if T 2 ,s 2 (= tj(^f i)v 2 and T 2 ,s 2 \= tj(\i 2 )v 2 . Therefore 
we have Ti, Si |= (\&i A T^jui if and only if T 2 , S 2 |= 
(t 7 (’fT) A tj(\V 2 ))v 2 Since tj^i A \& 2 ) = t/(\ Pi) A 
fj(T' 2 ), we have 

Ti, si |= (’Ll A ^ 2 )vi iff T 2 , s 2 |= tj(\ Fi A \P 2 )^2 

The proof for the case of $ = \&i V d/ 2 , < f> = ’Ll —» d/ 2 , 
and $ = T'i £A \& 2 can be done similarly. 

(<J> = (—)'!')■ Assume Ti, si \= ((—)'F)ui, where Vi is a val¬ 
uation that assigns to each free variable of T' a con¬ 
stant ci £ ADOM(aboxi(si)). Then there exists s'i s.t. 
si =>1 sj and Ti,s'i j= T'ui. Since si ~j S 2 , there 
exists s 2 , 1 1 ,..., t n (for n > 0 ) with 

S 2 =>2 ti => 2 • • • =>2 t n => 2 s ' 2 
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such that sj s 2 , Stat e(temp) £ abox2(U) for 
i € { 1 ,... ,n}, and State(iemp) ^ abox2(s 2 ). Hence, 
by induction hypothesis, for every valuations v 2 that as¬ 
sign to each free variables x of tj ('I') a constant C2 £ 
ADOM(a6o2:2(s2)), such that ci = c 2 anda;/ci £ v\, we 
have Tj, s 2 \= tj (’Ll) ^2- Consider that 

S2 =>2 h =>2 ■ ■ ■ =>2 t„ =>2 s 2 

(for n > 0), State(femp) £ abox2(ti) for i £ 
{ 1 , ..., n}, and State(temp) ^ abox 2 (s 2 ). we there¬ 
fore get 

Tj,s 2 \= ((— )^Z.((State(temp) A (— )Z)V 

(-■Stat e(temp) A tj('h))))v2- 

Since 

fj((—)<f>) = (— )p,Z.((State(temp) A (—)Z)V 

(^State(femp) A ($))), 

thus we have 


? 2 ,S 2 h 

The other direction can be shown in a symmetric way. 

(<f> = [-]T). The proof is similar to the case of $ = (—) T 
(<f> = 3a;.T'). Assume that Tj, si |= (3a;.'I')rj, where v( is a 
valuation that assigns to each free variable of T 1 a con¬ 
stant ci £ ADOM(a&oxi(si)). Then, by definition, there 
exists c £ ADOM(a&oa:i(si)) such that Tj,si f= T'tti, 
where v- t = v\ [x/c] . By induction hypothesis, for every 
valuation V 2 that assigns to each free variable y of tj (\&) a 
constant C 2 £ ADOM(a 6 oa; 2 (s 2 )), such that ci = C 2 and 
y/ci £ Ui, we have that T 2 , s 2 \= tj(\ V)v2- Additionally, 
we have V 2 = v 2 [x/d\, where d £ ADOM(a 6 oa: 2 (s 2 )), 
and d = c because abox 2 (s2) = aboxi(si). Hence, 
we get Tj,s 2 |= (3x.tj('b))v' 2 . Since tj(3x.$) = 
3 x.tj(&), thus we have Tj, S 2 |= tj( 3 x.^)v 2 
The other direction can be shown similarly. 

(<L = Va;.’!'). The proof is similar to the case of <f> = 3a;.’L. 

Extension to arbitrary countable disjunction. Let T 1 be a 

countable set of £ EQL formulae. Given a transition system T = 
(A, T, E, so, abox, =>), the semantics of V T 1 is (V = 
Therefore, given a state s £ E we have T, s |= 
(V TOw if and only if there exists t/; £ T such that Tj s \= iftv. 
Arbitrary countable conjunction can be obtained similarly. 

Now, let Tj = (A,T, Ei,soi,a 6 oxi,=>i) and X 2 = 
(A, T, E 2 , so2, abox2, => 2 )- Consider two states si £ Ei 
and s 2 £ E2 such that Si ~j s 2 - By induction hypothe¬ 
sis, we have for every valuations v\ and o 2 that assign to 
each of its free variables a constant Ci £ ADOM(a 6 oa;i(si)) 
and c 2 £ ADOM(a&oa;2(s2)), such that c 2 = ci, we have 
that for every formula ip £ T, it holds Tj,si |= ipv 1 if 
and only if Tj, S2 |= tj(ip)v2. Given the semantics of V 'I' 
above, this implies that Tj,s |= (\J ^>)v 1 if and only if 
T 2 ,s (= (\J tj(^))v2, where f_, (T) = {tj(ip) \ ip £ T'}. The 
proof is then obtained by observing that V tj(' L) = tj (V 1 ® r ) - 

Extension to full //A 1 )* 1 '. In order to extend the result to 
the whole pC E ^ L , we resort to the well-known result stat¬ 
ing that fixpoints of the /i-calculus can be translated into the 


infinitary Hennessy Milner logic by iterating over approxi- 
mants , where the approximant of index a is denoted by p, a Z.& 
(resp. v n Z.‘\>). This is a standard result that also holds for 
///j E<-)1 '. In particular, approximants are built as follows: 

/i°Z.<3> = false v° Z.<& = true 

ljy 3 +'Z.<t> = $[Z/pPZ.<f>] vP + 1 Z.<f> = ^[Z/vPZ.®] 

V X Z.i> = V/3<a ^ Z.Q v*Z.$ =l\ &<x vVZ.<$> 

where A is a limit ordinal, and where fixpoints and their ap¬ 
proximants are connected by the following properties: given a 
transition system Y and a state s of Y 

. a £ QiZ.*)* if and only if there exists an ordinal a 
such that s £ (p, a Z.3>) v v and, for every /3 < a, it holds 
that s i (p 0 Z.$)ly, 

. a i iyZ.*)* if and only if there exists an ordinal a 
such that s ^ (v a Z.<&) v v and, for every /3 < a, it holds 
that s £ (v 0 Z.$)„ v . 

□ 


As a consequence, from Lemma [24] above, we can easily 
obtain the following lemma saying that two transition systems 
which are J-bisimilar can not be distinguished by any /i£ eql 
formula (in NNF) modulo the translation tj. 

Lemma 25. Consider two transition systems 
Tj = (A, T, Ei, S 01 , aboxi, => 1 ) and X 2 = 

(A, T, S 2 , S 02 , abox 2 , => 2 ) such that Tj Tj. For 

every p,C E ^ L closed formula $ (in NNF), we have: 

Tj |= $ if and only ifY 2 \= tjf b). 


Proof Since by the definition we have S 01 ~j S 02 . we obtain 
the proof as a consequence of Lemma 24 due to the fact that 


Tj, sqi |= $ if and only if Tj, s 02 |= tj($) 


□ 


C.2 Transforming S-GKABs into S-KABs 

As the first step towards defining a generic translation to com¬ 
pile S-GKABs into S-KABs, we introduce the notion of pro¬ 
gram IDs as follows. 

Definition 26 (Golog Program with IDs). Given a set of ac¬ 
tions T, a Golog program with ID 6 over T is an expression 
formed by the following grammar: 

(id, 5) ::= (id,e) \ (id, pick Q(p).a(p)} \ 

(id,£i|5 2 ) | (id,5i\5 2 ) \ 

(id, if ip then Ai else S 2 ) | (id, while <p do 8 ) 

where id is a program ID which is simply a string over some 
alphabets, and the rest of the things are the same as in usual 
Golog program defined before. ■ 

All notions related to golog program can be defined similarly 
for the golog program with ID. We now step further to define 
a formal translation that transforms a golog program into a 
golog program with ID. As for notation given program IDs 
id and id', we write id.id! to denote a string obtained by 
concatenating the strings id and id' consecutively. 
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Definition 27 (Program ID Assignment). We define a transla¬ 
tion T ic i{S,id) that 

1. takes a program 6 as well as a program ID id, and 

2. produces a golog program with ID (id, 6 u i) such that each 
sub-program of 6 is associated with a unique program ID 
and occurrence matters (i.e., for each sub-program S' of 
5 such that S' occurs more than once in 5, each of them 
has a different program ID). 

The translation Tid(S, id) is formally defined as follows: 

• T id (s, id) = (id, e), 

• T irf (pick Q(fl).a(p),id) = (id, pick Q(p).a(p)), 

• T. ld (Si\S 2 , id) = (id, T id (id.id', Si)\T id (id.id", S 2 )), 
where id' and id” are fresh program IDs. 

• T id (Sp,5 2 ,id) = (id,T id (id.id' ,S\)-,Tid(id.id" ,S 2 )), 
where id' and id” are fresh program IDs. 

• 77 / (if tp then S-\ else S 2 , id) = 

(id, if <p then nflid.id!, <5i) else Tid(id.id", S 2 )), 
where id' and id" are fresh program IDs. 

• Tid (while ip do 5\, id) = 

(id, while ip do Tid(id.id', S±)), 
where id' is a fresh program IDs. 

Given a program S, we say (id, Sid) is a program with ID w.r.t. 
6 if Tid(S, id) = (id, Sid) where id is a fresh program ID and 
S^ is a program with ID. ■ 

Definition 28 (Program ID Retrieval function). Let 5 be a 
program and (id, Sid) be its corresponding program with ID 
w.r.t. S, we define a function pid that 

1. maps each sub-program of (id, 6) into its unique id. 
I.e., for each sub-program (id', S') of (id, 5), we have 
pid((id', S')) = id', and 

2. additionally, for a technical reason related to the correct¬ 
ness proof of our translation from S-GKABs to S-KABs, 
for each action invocation (ld a ,pick Q(p).a(p)), that 
is a sub-program of (id, S), we have pid((id a .e, e)) = 
id a .e (where id a .e is a new ID simply obtained by con¬ 
catenating id a with a string s). 

■ 

For simplicity of the presentation, from now on we assume 
that every program is associated with ID. Note that every 
program without ID can be transform into a program with ID 
as above. Moreover we will not write the ID that is attached 
to a (sub-)program, and when it is clear from the context, we 
simply write pid(S'), instead of pid((id, S')), to denote the 
unique program ID of a sub-program S' of S that is based on 
its occurrence in 5. 

We now proceed to define a translation tg(st,8, ed), that 
given a golog program S, as well as two flags st and ed, 
produces a process (set of condition-action rules) and a set of 
actions that mimics the execution of the program S starting 
from a state s with an ABox A (i.e., A = abox(s)) where 
st £ A and at the end of the execution of <5, that changes 
A into A! , we have ed £ A', but st ^ A'. Intuitively, st 
and ed act as markers which indicate the start and the end of 
the execution of the corresponding program S. Formally, the 
translation tg is defined as follows: 

Definition 29 (Program Translation). We define a translation 
tg that takes as inputs: 


1. A program S over a set of actions F, 

2. Two flags (which will be used as markers indicating the 
start and the end of the execution of a program 5). 

and produces as outputs: 

1 . pre is a function that maps a sub-program S' of S to a 
flag (called start flag of S') that act as a marker indicating 
the start of the execution of S', 

2. post is a function that maps a sub-program S' of S to a flag 
(called end flag of S') which act as a marker indicating 
the end of the execution of S', 

3. II is a process (a set of condition-action rules), 

4. r' is a set of actions. 

I.e., tg(st,S, ed) = (pre,post, A, V), where st and ed are 
flags. Formally, tg(st, 5, ed) is inductively defined over the 
structure of a program S as follows: 

1. For the case of 5 = e (i.e., S is an empty program): 

tg (st, £, ed) = (pre,post, {st a e ()},{a £ }), 

where 

• pre = {[pid(e) —> si]}, 

• post = {[pid(e) —> ed]}, 

• a e is of the form 

a e () : {true add {ed, State(Iemp)}, del {si}}; 

2. For the case of 6 = pick Q(p).a(p) (i.e., S is an action 
invocation) with pld(pick Q(p).a(p)) = id a : 

tg(st, pick Q(p).a(p), ed) = (pre,post,A,T'), 

where 

• pre = {[pid(pick Q(p).a(p)) si]} Upre', 

• post = {[pid(pick Q(p).a(fl)) —> ed]} UposI', 

• II = {Q(p) A si i->- a'(p)} U IT, 

• F' = {a'} U T", where 

EFF(a') = EFF(a)U 

{true add {ed}}U 

{true del {si, State(Iemp)}}U 

{l\loop(:r) del Noop(a:)}, 

• tg(ed,e, ed) = (pre 1 ,post',A',T"), 
where pid(s) = id a .s 

3. For the case of 5 = Si {L (i.e., <5 is a non-deterministic 
choice between programs): 

tg(st,S\\S 2 , ed) = (pre,post, A,T), 

where 

• n = {si h> 7^0, si h> 7 « 5 2 ()} urr u n 2 , 

• r = Ti ur 2 U {7<5 i> 7<5 2 }- where 

- 7,5,0 : {true 

add {Flag(ci), State(Iemp)}, del {si}}, 

- 75 2 0 : { trLj e 

add {Flag(c 2 ), State(Iemp)}, del {si}}, 

• tg( Flag(ci), <5i, ed) = (pre 1 ,post 1 ,A 1 ,T 1 ), 

• Ip(Flag(c 2 ), S 2 , ed) = (pre 2 ,post 2 ,A 2 ,T 2 ), 

• ci,C 2 € Ao are fresh constants; 

4. tg(st, S\\S 2 , ed) = (pre,post, II 1 UII 2 , riUr 2 ), where 

• pre = {\pid(S\\S 2 ) —> si]} Uprei Upre 2 , 

• post = {\pid(Si; S 2 ) —> ed]} Uposli U post 2 , 

• tg(st,5 1 , Flag(c)) = (pre 1 ,posti,A 1 ,Ti), 
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• fg(Flag(c),< 5 2 , ed) = (pre 2 ,post 2 , n 2 ,r 2 ), 

• c £ Ao is a fresh constant; 

5. tg(st, if ip then di else S 2 , ed) = (pre, post, A, T), 

where 

• pre = {[pzd(if <p then < 5 -| else < 5 2 ) —> sf]} U 

pre i U pre 2 , 

• post = {[pid( if <p then < 5 X else S 2 ) -9 ed]} U 

posti U post 2 , 

• n = {sf A <p I—)■ 7i/(), sf A -up i—)• 7ei se ()} U 

iii u n 2 , 

• r = Ti U r 2 U { 7 i/, 7 etse}. Where 

- 7*/() : {true-w 

add {Flag(ci), State(ferap)}, del {sf}}, 

- 7 eise{) ■ {true 

add {Flag(c 2 ), State(temp)}, del {sf}}, 

• fg(Flag(ci),di, ed) = {pre 1 ,post 1 ,A 1 ,T 1 ), 

• fg(Flag(c 2 ), S 2 , ed) = (pre 2 ,post 2 , n 2 , E 2 ), 

• Ci, c 2 S Ao are fresh constants; 

6 . fg(sf, while <p do 5 , ed) = (pre,post, II, T), where 

• pre = {[pid(while <p do 6 ) —»• sf]} U pre' 

• post = {[pid(while <p do S) —> ed}} U post 1 

• II = II' U IIz 00 p, where II i oop contains; 

- sf A ip A ^Noop(noop) 7 doLoopQ, 

~ St A (-><p V Noop(noop)) 'JendLoopi ), 

• r = r 7 U Tioop, where r^oop contains the follow¬ 
ing: 

- 7 doLoopO • {true - > 

add {F\ag(l Start), Noop(noop), State(femp)}, 
del {sf}}, 

- r YendLoopO • {true 

add {ed, Stat e(temp)}, 
del {sf, Noop(noop)}}, 

• tg(F\ag(lStart), 5, st) = (pre', post',H',T'), 

• noop, IStart £ Aq are fresh constants. 


For compactness reason, we often simply write pre(S) to 
abbreviate the notation pre(pid(S)) that essentially returns the 
start flag of a program with program ID pid(S). Similarly for 
post(S). 

Lemma 30. Given a program S over a set F of actions. We 
have tg(st, 6 , ed) = (pre, post, II, T) if and only ifpre(5) = 
st and post(S) = ed 

Proof. Directly follows from the definition of tg. □ 

Having tg in hand, we define a translation Tg that compile 
S-GKABs into S-KABs as follows. 

Definition 31 (Translation from S-GKABs to S-KABs). 
We define a translation Tg that takes an S-GKAB Q = 
(T, Ao, F, 5) as the input and produces an S-KAB rg(Q) = 
(T,A',r 7 ,n 7 )s.t. ; 

• A' 0 = A 0 U {Flag(sfarf)}, and 

• tg(F\ag(start),S,F\ag(end)) = (pre,post,A' ,T'). 


To show some properties of the translation Tg which trans¬ 
form S-GKAB to S-KAB above, we first introduce several 


preliminaries below. As the first step, we define the notion 
when a state of an S-GKAB is mimicked by a state of an 
S-KAB as follows. 

Definition 32. Let Q = (T, A 0 ,r, 8) be a normal¬ 

ized S-GKAB with transition system Tg S , and Tg(Q) = 
(T, Aq, r 7 , n 7 ) be an S-KAB with transition system 
obtained from Q through Tg s.t. (i) A} = Ao U {Flag(sfarf)}, 
and (n) tg(F\ag(start),S,F\ag(end)) = (pre, post, A’,T’). 
Consider two states (A g ,m g , S g ) of Tg S and (Afc,mfc) of 
TrgtQ)' We sa y ( A g ,m g ,Sg ) is mimicked by (Afc,mfc) 
(or equivalently (Afc,mfc) mimics (A g ,m g , S g )), written 

(Ag,nr g ,Sg) = (Afc, in ■&,), if 

1- Afc — Ag , 

2. mk = m g , and 

3. pre(Sg) £ A fc . 

■ 

Next, we define the notion of temp adder/deleter action as 
follows. 

Definition 33 (Temp Marker Adder Action). Let Q be an S- 
GKAB and rg(Q) = (T, A' {] , I’ 7 , n 7 ) be the corresponding S- 
KAB obtained from Q via Tg. An action a £ T is a temp adder 
action of Tg (Q) if there exists an effect e £ EFF(a) of the form 
[g + ] A Q~ add F + , del F~ such that State(femp) £ F + . 
We write T+ to denote the set of temp adder actions of rg(Q). 


Definition 34 (Temp Marker Deleter Action). Let Q be an 
S-GKAB and rg(Q) = (7’. A}, T 7 , II 7 ) be the correspond¬ 
ing S-KAB obtained from Q via Tg. An action a £ 1 ’ 
is a temp deleter action of Tg(Q) if there exists an effect 
e £ Eff(«) of the form [g + ] A Q~ add F + , del F such 
that State (Temp) £ F~. We write \ ’7 to denote the set of 
temp deleter actions of Tg (Q). ■ 


Roughly speaking, a temp adder action is an action that 
adds the ABox assertion State) temp). Similarly, a temp 
deleter action is an action that removes the ABox assertion 
State(femp). 

Lemma 35. Let Q be an S-GKAB , Tg(Q) = (T, Aq, T 7 , II 7 ) 
be the corresponding S-KAB obtained from Q via Tg, andTf 
(resp. r~) be a set of temp adder (resp. deleter) actions of 
Tg(Q). We have that T 7 = T+ l±) T“. 


Proof. Trivially tme by observing Definitions [29][33 34 □ 


Lemma 36. Let Q be an S-GKAB , Tg(Q) = (T, Aq, T 7 , II 7 ) 
be the corresponding S-KAB (with transition system T^^gA 
obtained from Q via Tg, and r+ be a set of temp adder actions 
of Tg(Q). Consider a state (Ak,rrik) of T}} ( gy if there ex¬ 
ists a state (A}, to}) such that (Ak, mk) > (A}, to}), and 
State) temp) £ A} then a is an empty substitution, a £ T+, 
a does not involve any sendee calls, A} ~ A/. and to} = rtik- 


Proof. Since State (temp) £ A}, then by Definition 33 and 

i-F 


Lemma 35 we must have a £ Tj. By the definition of transla¬ 
tion tg (see Definition 291, any actions in T+ does not involve 


service calls and only do a manipulation on special markers. 
Thus, it is easy to see that A} ~ Afc and to} = mfc. □ 
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Lemma 37. Let Q = (T, Ag, V. 6) be an S-GKAB, Tg(Q) = 
(T, A [j. r', IT) be the corresponding S-KAB ( with transition 
system T^) obtained from Q via Tg, and r+ be a set of temp 

adder actions ofrg{Q). Consider a state (A k , rtik) °f^T-(gy 

if there exists a state (A k ,m k ) such that (A k ,m k ) a 
(. A' k ,m' k }, and Stat e(temp) (jL A' k then a 1 £ and there 
exists action invocation pick Q(p).a(p) in the sub-proram of 5 
such that a' is obtained from the translation of pick Q(p).a(p ) 
via tg. 


Proof Since Stat e(temp) qL A' k , then by Definition 34 and 
Lemma 35 we must have a' £ T~. By the definition of 
translation tg (see Definition |29|>, a ' must be obtained from 
the translation of an action invocation pick Q(p).a(p) in the 
sub-proram of <5. □ 


The following lemma shows that given two action invoca¬ 
tions that has different program ID, we have that their start 
flags are different. I.e., any actions invocations that occur in 
a different place inside a certain program will have different 
start flag. This claim is formalized below. 

Lemma 38. Let Q = (T, Ao,T,S) be an S-GKAB , 

Tg(Q) = (T, Ag, T', IT) be the corresponding S-KAB 

(with transition system obtained from Q via 

Tg, and T+ be a set of temp adder actions of rg(Q). 
Consider two action invocations pick Qi(x).a±(x) and 
pick Q 2 (y).cx 2 (y) that are sub-programs of 6. We have 
that pid(pick Qi(x).ai(x)) pidfpick Q 2 (y).a 2 (y)) 
if and only if pre(pid(pick Qi(x).ai(x))) 
pre(pid(pick Q 2 (y).a 2 (y))). 


Proof Trivially true by observing the definition of translation 
tg (see Definition[29|. □ 

We now progress to show a property of translation Tg that 
is related to the final states of S-GKABs transition system. Es¬ 
sentially, we show that given a final state s g = (A g , m g , S g ) 
of an S-GKAB transition system and a state s k of its corre¬ 
sponding S-KAB transition system such that those two states 
are J-bisimilar (i.e., s g ~j s k ), we have that there exists a state 
s' k that is reachable from s k (possibly through some interme¬ 
diate states) and we have that post(S g ) is in the ABox that is 
contained in s' k . Formally this claim is stated below. 

Lemma 39. Given an S-GKAB Q (with a transition sys¬ 
tem Tg S ), and an S-KAB rg(Q) (with a transition system 
'^’tc(G)) ^°htained from Q through Tg. Consider the 
states ( A g ,m g ,5 g ) of T S g s and (A k ,m k ) o/T^ (g) . If 
(A g ,m g ,Sg ) £ F, and (A g ,m g , S g ) = (A k ,m k ), then there 
exists states (A.,, m k ) and actions OLi (for i £ {1,..., n}, and 
n > 0 ) such that 

i a \ Oticr / a \ ol^g CLn,G i a \ 

• (A k ,m k ) - > {Ai,m k } - > ■ ■ ■ -► (A n ,m k ) 

(with an empty substitution a), 

• State(femp) £ A,; (for i £ {1,..., n}), 

• post(Sg) £ A n , 

• pre(Sg) A n (ifpost(Sg) ± pre(5 g )), 

• A n — Ag, and 


• //Noop(c) £ A k (where c £ Ao), then Noop(c) £ A t 
(fori £ nj). 


Proof. Let 

• G = (T,A 0 ,r,« 5 ),and 

T g S = ( A >s 0g , abox g , => g )), 

• Tg(g) = (T,A' 0 ,T', n'),and 

(g) = ^ So/ci o,box k , where 

• Ag = A 0 U {Flag(starf)}, and 

• fg(Flag(sfarf), 6 , Flag(eruf)) = (pre,post,U.',T'). 
We show the claim by induction over the definition of final 
states as follows: 


Base case: 


[G, 


= e]. Since 
tion 


(Ag 


m a 


g ,s) = ( A k ,m k ), then by Defini- 
32 we have pre(e ) £ A k . By the definition of tg, 


we have a 0-ary action a e () where 

- pre(e) i-» a e (), and 

- EFF(a e ) = {true 

add {post(s), State(femp)},del {pre(e)}} 
Hence, by observing how an action is executed and the 
result of an action execution is constructed, we easily 
obtain that there exists (A\,m k ) such that 

- ( A k ,m k ) ae - a > (Ai,m k ) (with an empty substitu¬ 
tion a), 

- State(femp) £ A\, 

- post(e) £ Ai, 

- pre(e) A\ (if pre(e) ^ post(e)), and 


- A\ — Ag. 

Additionally, it is also true that if Noop(c) £ A k (for a 
constant c £ Ao), then Noop(c) £ Ai, because, by the 
definition of tg, the action a e does not delete any concept 
made by concept names Noop and only actions that are 
obtained from the translation of an action invocation 
delete such kind of concept assertions. Therefore the 
claim is proven for this case. 


Inductive cases: 


[i S g = <5i |<5 2 ]. Since (A g , m g , <5i |<5 2 ) £ F, then by the defini¬ 
tion of final states we have either 

(1) (A g ,m g , 5i) £ F, or 

(2) (A g ,m g , 62 ) £ F. 

For compactness of the proof, here we only show the 
case (1). The case (2) can be done similarly. Since 

(A g ,m g , <5i|<5 2 ) ^ (A fc ,m), then pre(<5i|^ 2 ) £ A k . By 
the definition of Tg, we have 

- pre(Si\S 2 ) H> 7^0 £ II, 

- 7 ^ () : {true add {pre(Si), State(temp)}, 

del {pre(5 1 \S 2 )}}, 

- post(Si\ 6 2 ) = post(5 1 ). 

Then, by induction hypothesis, and also by observing 
how an action is executed as well as the result of an 
action execution is constructed, it is easy to see that the 
claim is proven. 

[ 1 5 g = 61 ; <5 2 ]. Since (A g , m g , Si;S 2 ) £ F, then by the defini¬ 
tion of final states we have that (A g ,m g ,di) £ F and 
(A g , m g , S 2 ) £ F. Since (A g , m g , 6 p, d 2 ) = ( A k ,m k }, 
then pre (6 1 ; S 2 ) £ A k . By the definition of Tg we have 
that pre(5\, S 2 ) = pre(Si), post( 6 i) = pre(5 2 ), and 
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post( 8 2 ) = post{5\] 82 )- By induction hypothesis, there 
exists states (Ai, nik), and actions a*, (for i G {1,..., l}, 
and n > 0 ) such that 

- (A k ,m k )^(A 1 ,m k )^...^(A l ,m k ) 

(with an empty substitution a), 

- Stat e(temp) € Ai (for i G {1,..., Z}), 

- postal) G A u 

- pre(Si) Ai (if pre(8\) ± post(8{j), 

~ Ai ~ Ag, 

- if Noop(c) G Ah (where c G A 0 ), then Noop(c) G 
Ai (for i G {1,...,/}). 

Now, since Ai ~ A g , m k = m g , pre(S 2 ) G Ai, then 
we have (A g , m g , 82 ) — (Ai,m k ). Hence, by induction 
hypothesis again, there exists states {Ai, nik), and actions 
ai (for i G {( + 1,..., ?r}, and n > 0) such that 

- (A u m k ) {A l+ 1 ,m k ) • • • 

• • --s> ( A n ,m k ) 

(with an empty substitution a), 

- Stat e(temp) G A t (for i G {/ + 1,..., n}), 

- post(S 2 ) G A n , 

- pre{ 8 2 ) A n (if pre{ 8 2 ) ^ post( 8 2 )), 

- A n ~ A g , 

- if Noop(c) G Ai (where c G Ao), 

then Noop(c) G Ai (for i G {/ + 1,..., n}). 
Therefore, it is easy to see that the claim is proven. 

[ 8 fl = if p then hi else 82 ]. Since 

{A g ,m g , if 1 p then <5-| else 82 ) G F, then by the 
definition of final states we have either 

(1) {A g , m g , Ai) G F and ans(p, T, A) = true, or 

(2) {A g , m.g, 82 ) G F and ANS(p, T, A) = false. 

For compactness of the proof, here we only show the 
case (1). The case (2) can be done similarly. Now, 
since {A g , rn g , if p then <5i else 82 ) — (A k ,m k ), then 
pre(if ip then 8 -\ else 8 2 ) G A k . By the definition of Tg, 
we have 

-ip A pre (if ip then 8 ± else ^ 2 ) ^ iif{) e n, 

- 7 if{) : {true add {pre(Si), State(temp)}, 

del {pre(if p then <5i else < 52 )}}- 

- post (if p then <5-| else 8 2 ) = post( 8 \). 

Then, by induction hypothesis, and also by observing 
how an action is executed as well as the result of an 
action execution is constructed, it is easy to see that the 
claim is proven. 

[<5 S = while p do <5]. Since {A g ,m g , while p do 8 ) G F, 
then by the definition of final states, we have either 

(1) ANS(cp, T, A) = false, or 

(2) ( A g ,m g , 8 ) G F and ANS(<p, T, A) = true. 

Proof for the case (1): Now, since 


{A g , Trig, while p do 8 ) = ( A k ,m k ), 

then pre(while p do 8 ) G A k . By the definition of 
rg, we have 

• pre(while p do 8 ) A (~^p V Noop(noop)) i-A 

7 endLoopC) 5 

• 'YendLoopi} ■ {true 

add {posf(while pdo <5), State(temp)}, 
del {pre(while p do 8 ), Noop(noop)}}, 


Then, by induction hypothesis, and also by observ¬ 
ing how an action is executed as well as the result of 
an action execution is constructed, it is easy to see 
that the claim is proved. 

Proof for the case (2): Now, since 


(A g , m g , while p do 8 ) = ( A k ,m k ), 

then pre(while p do 8 ) G A k . By the definition of 
Tg, we have 

• pre(while p do 5) A p A ^Noop(?roop) i-A 

^fdoLoop ()> 

• pre(while p do 5) A (~>p V Noop(noop)) i-A 

^fendLoop ()> 

• lendLoopO ■ {true 

add {post(while p do <5), Stat e(temp)}, 
del {pre(while p do 8), Noop(noop)}}, 

• IdoLoopO ■ {true 

add {pre(S), Noop(noop), Stat e(temp)}, 
del {pre(while p do ( 5 )}}. 

Hence, it is easy to see that we have 


(A k ,m k ) (A' k ,m k ) 

where a is an empty substitution, and 

{State(temp), pre(S), Noop (noop)} C A' k . 
Hence (A g ,m g ,8) = (A' k ,m k )■ Since 

(■ A g ,m g ,S ) G F and (A g ,m g ,8) = (A' k ,m k ), 

by induction hypothesis, then there exists states 
(Ai, m k ), and actions a.j (for i G {1,..., n}, and 
n > 0) such that 

. (A' k ,m k )^(A u m k )^--- 

■ ■ - -s> (A n ,m k ) 

(with an empty substitution a), 

• Stat e(temp) G A t (for i G {1,..., ?t}), 

• post(8) G A n , 

• pre(S) ^ A n (if post(5) ^ pre(8)), 

• A n ~ A g , and 

• if Noop(c) G A' k (where c G Ao), then 
Noop(c) G Ai (for i G {1,..., n}). 

Hence we have 


{post(S), Noop(?roop), State(femp)} C A n . 

Now, since by the definition of tg we have that 
post( 8 ) = pre(while p do 8 ), then the action 
'YendLoop is executable in A. n (notice that we 
do not care whether ANS (p,T,A) = false, or 
ANS(p, T, A) = true because Noop(?roop) G A n ). 
Hence we have 

(A n ,m k ) (A' n , m k ) 

with {State(femp),posf(while p do (i)} C A! n , 
and Noop(noop) ^ A' n (which is fine since 
Noop(noop) ^ A k ). Thus we have that the claim 
is proven. Intuitively, the idea for the proof of this 
case is that since (A g , m g , 8 ) G F, there is no ac¬ 
tion executed and no one removes the flag made 
by concept name Noop. In that situation, for the 
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second iteration, no matter whether tp (the guard of 
the loop) is hold or not, we can exit the loop and 
additionally keeping all assertions in the ABox (ex¬ 
cept the special markers) stay the same. Essentially 
it reflects the situation that in the corresponding 
S-GKAB, there is no transition was made (since 
(■ A g ,m.g,S) G F). 

□ 


C.3 Reducing the Verification of S-GKABs Into 
S-KABs 

We exploit the property of J-Bisimulation in order to show that 
the verification of //E 1 ^ 1 properties over S-GKABs can be 
reduce to the verification of S-KABs. Essentially, we show that 
given an S-GKAB Q, its transition system Tg S is J-bisimilar to 
the transition system T^ g ,g, of S-KAB Tg(Q) that is obtained 
from Q via the translation Tg. Consequently, we have that both 
transition systems Tg S and ^ can not be distinguished by 

any /i£ eql (in NNF) modulo the translation t, :j . 

As a start, below we show that given a state s-; of an S- 
GKAB transition system, and a state S 2 of its corresponding 
S-KAB transition system such that S 2 mimics si, we have that 
if ,s'-| reaches s} in one step, then it implies that there exists s ' 2 
reachable from st (possibly through some intermediate states 
s{,... ,s^ that contain State(temp)) and s ' 2 mimics s}. 

Lemma 40. Let Q be an S-GKAB with transition system Tg s , 
Tg(Q) be an S-KAB (obtained from Q through Tg) with transi¬ 
tion system T^ ^gy Consider two states (A g , rn g , 6 g ) ofTg , 
and (A k , m k ) ofTsuch that ( A g , m g , S g ) = (A k , m k ). 

For every state (A' g ,m' g ,S g ) such that ( A g ,m g ,S g ) aaAb -y 
(A g , m g , S g ) (for a certain action a, a legal parameter assign¬ 
ment a and a service call substitution 9), there exist states 
{ A ’ k > m 'k)’ ( A l m k) (for i G {1,... , n}, where n > 0), and 
actions a', on (for i G {1,..., n}, where n > 0) such that 

• (A k ,m k )^(A\,m k )^--- 

...^(Ai,m k )^(A’ k ,m' k ) 

where 

- <j e is an empty substitution, 

- a' is obtained from a through tg, 

- State(femp) G A\ (for i G {1 
State(femp) ^ A' k , 

• (A' g ,m' g ,S' g ) = (A' k ,m' k ). 


Proof. Let 

• g= (T,A 0 ,T,S), and 

r g S = ( A > «o g , abox g , => g ), 

• Tg{Q) = (7 1 , A' 0 , E', rL) and 

T rg( 0 ) = (A,T, T, k ,s ok , abox k ,=> k ) where 

1. Aq = Aq U {Flag(sfarf)}, and 

2. tg(F\ag(start), 8 , Flag(end)) = (pre,post, IT, T'). 
We prove by induction over the stmcture of S. 

Base case: 


[ 8 g = e]. Since (A g ,m g ,e) G F, then there does not exists 
(A’ g , m' g , S' g ) such that 


(A 


gi 1 


t gi 5g) (Ag, m'g, Sg) , 


Hence, we do not need to show anything. 

[ 8 g = pick Q(jT).o:(p)\. For compactness of the presentation, 
let a = pick Q(f).a(p). Since (A g , m g , a) = (A k , m k ), 
then pre(a) G A k , by the definition of Tg, we have: 

• Q(p) Apre(a) i-A- a'(p) G n', 

• a' G r. 

Since 

(A g , m g , a) aaJs > (A' g ,m' g ,£), 


then a G ANS(Q, T, A g ). Since A k ~ A g , and Q does 
not use any special marker concept names, by Lemma 


21 we have ANS(Q, T, A g ) = ANS (Q, T, A k ) and hence 
a G ANS(Q,T, A k ). Now, since pre(a) G A k , then of 
is executable in A k with legal parameter assignment a. 
Additionally, considering 


EFF(a') =EFF(a) 

Ujtrue add {posf(a)}} 

Ujtrue -w del {pre(a), State(femp)}} 
U{Noop(:r) del Noop(x)}, 


-A A 

Then it is easy to see that we have ADD^ = ADD a f , 
and hence CALLS(add^) = CALLS(ADD^). Thus 
we have 9 G CALLS (add^). Now, since m! g = 9Um g , 
m k = rn g and 9 G CALLS (ADD^, fc ), we can construct 
m' k =9 U m k . Therefore it is easy to see that there exists 
(A' k , m' k ), such that 


(■ A k ,m k ) AA (A' k ,m' k ) 

(with service call substition 9) and A' g ~ A' k (by con¬ 
sidering how A' k is constructed), m' g = m' k . By the 
definition of tg (in the translation of an action invocation) 
we also have pre(e) G A' k . Thus the claim is proven. 


Inductive case: 

[S g = 61 1$ 2 ]. Since 


(A g ,m g , 8 -^ 82 ) aaJs y (A' m', S'), 


then, there are two cases, that is either 


(1) (A g ,m g , 8 i) 

( 2 ) (A g , nig, S 2 ) 


a<y,fs 

oluJs 


■> (A'g, 


m'g, S'), or 
m' g , S'). 


Here we only give the derivation for the first case, the sec¬ 
ond case is similar. Since (A g , m g , <5i IA 2 ) — ( A k ,m k ), 
then A g ~ A k , m g = m k , andpre(t>i|< 52 ) G A k . By the 
definition of Tg and Lemma |30| we have 


• pre(S 1 \S 2 ) 7^() G n' 

• 7 g 1 G V, where 
7«i() : {true 

add {pre(8i), State (temp)}, del {<5i IA 2 }}, 
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Since pre(8i\8 2 ) £ A k , it is easy to see that 


(■ Ak,m k ) 


75 1 o’t 


■> (. A t ,m k ) 


where a t is an empty substitution, 

{pre(Si), State(iemp)} £ A t , and A t ~ 

Since 2l t ~ 21^ and ~ Ak, it is easy to see 
that A g ~ A t . Since A g ~ A t , m g = m k , and 
pre{5i) £ A t , then we have (A g ,m g , 8 i) = (A t ,m k ). 

Therefore, since ( A g ,m g , 8 \) (A' g , rn' g , 8 \) and 

(. A g , m g , 5i) = (At, m k ), by induction hypothesis, it is 
easy to see that the claim is proven for this case. 

[(5 S = <5|: 82 ]- There are two cases: 

(1) (A g ,m g ,S 1 ; 8 2 ) aa ’ fs > (A' g , m' g , 8 'p, S 2 ), 

(2) (A g ,m g ,S 1 ;5 2 } aaJs > ( A! g ,m' g , 8' 2 ), 

Case (1). Since 


(A g ,r 

then we have 


i g ,8p,8 2 ) (K,m'8'p,8 2 ), 


(A g ,m g ,8 1) (A'm'8[), 


Since (A g , m g , <5i; S 2 ) = ( A k ,m k ), 
m g = m k , and pre ( 5 \\ S 2 ) £ A k . By the definition 


then A g ~ 2lfc, 


of t g and Lemma 30 it is easy to see that pre(S 1; 82) = 
pre(S 1), and hence because pre( 5 \\ S 2 ) £ A k , we have 
pre(8 1) £ A k . Now, since A g ~ = m k , 

pre(8i) £ A fe , then we have (A g ,m g ,8i) = ( A k ,m k ). 
Thus, since we also have 


(A g ,m g ,8i) (A' g ,m' g ,8' 1 ), 

by using induction hypothesis we have that the claim is 
proven. 

Case ( 2 ). Since (A g ,m g ,8i;8 2 ) aaJs > (A' g , m' g , 8' 2 )„ 
then we have (A g , m g , <$i) £ F, and 

(Ag,m g ,S 2 ) aaJs > ( A' g ,m' g ,8' 2 ), 


Since (A a £ F and ( A g ,m g ,8 g ) = (A k ,m k ), 

by Lemma 39 there exist states (At, m k ) and actions at 
(for i £ {1, ..., n}, and n > 0) such that 


. (A k ,m k )^(A 1 ,m k )^--- 

■ ■ - - > (A n ,m k ) 

(with empty an empty substitution a), 

• State(femp) £ At (for i £ {1,..., n}), 

• post(Si) £ A n , pre(Si) ^ A n , and 

• A n ~ Ag. 

Since (A g , m g , <5i; S 2 ) = (A k ,m k ), then A g ~ A k , 
m g = m k , and pre( 8 p, 8 2 ) £ A&. By the definition 
of tq and Lemma [30} it is easy to see that 

• pre(8i\8 2 ) = pr-e(<Si), 

• post( 8 \) = pre(S 2 ), 

• post(8\\ 82) = post(8 2 ). 


Hence, because post(5\) £ A n , andpost(Si) = pre(S 2 ), 
we have pre(8 2 ) £ A k . Now, since A g ~ A n , m g = to*;, 
pre(S 2 ) £ A„, then we have (A g ,m g ,S 2 ) = (A n ,m k ). 

Thus, since we also have 

(A g , m g , 8 2 ) - aJ - > (A' g , m' g , 8' 2 ), 

by using induction hypothesis we have that the claim is 
proven. 

[ 8 g = if p then else S 2 ]. There are two cases: 

(1) (A g ,m g ,if p then 8\ else 8 2 ) aaJs > (A l g ,m' g ,8' 1 ), 

(2) (A g , m g , if p then <5i else S 2 ) aa,fs > (A' g ,m' g ,8' 2 ). 

Here we only consider the first case. The second case is 
similar. 

Case (1). Since 


(A g ,m g Af p then < 5 i else S 2 ) 

then we have 


aa ’fs, , ,/ / 

- > (Ag, m q 


Si), 


(A g ,m g ,8 1) — (A' m' ,8' 1 


with ANS(p,T, Ag) 


(Ag 


m. 


.if p then L else 8 2 


true. Since 

= (A k ,m k ), then 


A g ~ A k , m g = m k , and pre( if p then <5i else 8 2 ) £ 
A k . By the definition of tq and Lemma [30} we have 

• pre( if tp then <5i else £ 2 ) A p i-A 7 i/() £ n' 

• "/if £ r', where 

"fif() : {true ~>add {pre(8\), State(femp)}, 

del {pre(if p then 81 else <5 2 )}}, 
Since A k ~ A g , ANS(p, T, A g ) = true, and p 
does not use any special marker concept names, by 
Lemma 21 we have ANS(</?, T, A k ) = true. Now, since 
pre(if p "then 5i else 82 ) £ A k , and ans(v?,T, A k ) = 
true, it is easy to see that 

(A k ,m k ) - > (A t , m k ) 


where a t is an empty substitution. 

{pre(Si), State(temp)} £ A t , and A t — A k . 
Since A t ~ A k and A g ~ A k , it is easy to see 
that A g ~ A t . Since A g ~ A t , m g = m k , and 
pre(8\) £ A t , then we have (A g ,m g ,8i) S (A t ,m k ). 

Thus, since (A g ,m g ,8i) a<J As > (A' g , m! g , 8'^) and 
(A g , nig, 8\) = ( A t ,m k ), by induction hypothesis, it is 
easy to see that the claim is proven for this case. 

[8 g = while p do r)]. Since 


(A g , m g , while p do 8 ) aa A s > ^ ^ ^. w j 1 jj e ^ d 0 8 ), 

then we have ANS(</?, T, A) = true and 


(A g ,m g ,S) (A'g, m'g,8'). 

Since (A g ,m g , while p do 5) = (A k ,m k ), then A g ~ 
A k , m g = m k , and pre(while p do 8 ) £ A k . By the 
definition of tq and Lemma |30| we have 
• (pre(while(/3do(5)Vpost(<5))A<^A^Noop(noop) i-a 

'YdoLoopO £ FI , 
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• 7 doLoopO ■ {true 

add {pre{5), Noop(noop), State(temp)}, 
del {pre(while p do t)'),posi(<5)}}. 

Since A k ~ A g , ANS (p,T,A g ) = true, and p does 
not use any special marker concept names, by Lemma 


21 we have ANS(<p, T, A k ) = true. Additionally, it is 


easy to see from the definition of tg that Noop(noop) ^ 
Ak. Now, since pre) if p then <5i else S 2 ) £ Ak, 
ANS (p,T,A k ) = true, and Noop(noop) ^ Ak, it is 
easy to see that 


(■ A k ,m k ) 7d °- L ° . ° pCT % ( A t ,m k ) 

where a t is an empty substitution, 

{pre(S), State(temp)} £ A t , and A t ~ A k . 
Since A t ~ A k and A g ~ A k , it is easy to see 
that A g ~ At. Since A g ~ A*, m g = m k , and 
pre(S) £ A t , then we have (A g ,m g ,S) = {A t ,m k ). 

Thus, since (A g ,m g ,S) a<T ’^ - s > ( A' g ,m' g ,8') and 

(. A g , m g , S) = {At, m k ), by induction hypothesis, there 
exist states {A' k ,m’ k ), {A\,m k ) (for i £ { 1 , 
where n > 0 ), and actions a', cti (for i £ { 1 ,... ,n}, 
where n > 0 ) such that 

. (A t ,m k )^>(A\,m k )^>--- 

...A^ {Almk )^(A' k ,m' k ) 

where 

- ( 7 e is an empty substitution, 

- a' is obtained from a through tg , 

- State(temp) £ A\ (for i £ 

State) temp) qL A' k , 

• (A' g ,m' g ,5' g ) = (A' k ,m' k ). 

The proof for this case is then completed by also observ¬ 
ing that by the definition of program execution relation 
(on the case of while loops), we have that we repeat the 
while loop at the end of the execution of program S, and 
this situation is captured in the definition of tg by having 
that post(S) = pre(while p do S). 

□ 

We now proceed to show another crucial lemma for showing 
the bisimulation between S-GKAB transition system and the 
transition system of its corresponding S-KAB that is obtained 
via tg. Basically, we show that given a state Si of an S- 
GKAB transition system, and a state S 2 of its corresponding 
S-KAB transition system such that S 2 mimics si, we have that 
if s ‘2 reaches s 2 (possibly through some intermediate states 
4, ■ ■ •, 4 that contains State(temp)), then Si reaches in 
one step and is mimicked by s’ 2 . 

Lemma 41. Let Q = (T, Ag, L, 8 ) be an S-GKAB with tran¬ 
sition system Tg S , rg{Q) = {T , Ag, T', IT) be an S-KAB (ob¬ 
tained from Q through Tg) with transition system Tf ^gy where 

1. Ag = Aq U {Flag(sfarf)}, and 

2. tg{F\ag(start), 8 , Flag(end)) = {pre, post, 11', T'). 
Consider two states {A g ,m g ,S g )ofTg S ,and (A k ,m k ) of 
r* } such that (A g ,m g , S g ) = {A k ,m k ). For every state 
{A' k , m' k ) such that 


• there exist (A*, m k ) (for i £ {1,..., n}, n > 0), and 

• (4m,)^(A‘,m fe )^- 

..•^{A> fe )^{A',m') 

where 

- o e is an empty substitution, 

- cti £ T+ (for i £ {1,..., n}), 

- a' £ r~ 

- Q(p) !->• d(p) £ n', 

- ifn = 0, then o £ ANS (Q,T, A k ), otherwise a £ 
ANS(Q, T,A{J, 

- State(temp) £ A- (for i £ {1 

State) temp) A' k , 

then there exists a state {A' g , m! g , 5' g ) such that 

• (A g ,m g , 8 g ) {A' g ,m' g ,S' g ), 

• a! is obtained from the translation of a certain action 
invocation pick Q(p).a{p) via tg, 

• (Ag, tn'g, S g ) ^ {A' k , m'k). 


Proof. Let 

• r f g s = (A, T, Eg, s 0g , abox g , => g ), and 

• 'Y' T g(gj —{^,T,Yj k , So k , ClboX k , ^k). 

We prove the claim by induction over the structure of S. 

Base case: 

[S g = e]. Since S g = e, by the definition of tg, there must not 
exist (. A' k , m' k ) and (A-, m k ) (for i £ {1,..., n}, and 
n > 0) such that 

(A k ,m k )^(A\,m k )^--- 

...^ {A ' n ,m k )^{A' k ,m' k ), 

where 

• a e is an empty substitution, 

• cti £ T+ (for i £ {1,..., n}), 

• a' £ T“, 

• Q(p) ot'{p) £ n', 

• if n = 0, then a £ ANS(Q,T, A k ), otherwise o £ 
ANS(<2, T, A\f), 

• State(femp) £ A- (for i £ {1, ...,n}), 

State(femp) ^ A' k , 

The intuition is that the translation tg translates empty 
programs into actions that only add State) temp). 

[ 6 g = pick Q(p).a(p)\. Assume that there exist states 
{A' k , m' k ) and {A\, m k ) (for * £ {1,..., n}, and n > 0) 

such that 

(A k ,m k )^{A\,m k )^--- 

■ ^ (Alm k ) ^ {A' k ,m' k ) 

where 

• a e is an empty substitution, 

• cti £ T+ (for i £ {1,..., n}), 

• a' £ T~, 

• Q{p) ot'{p) £ n', 

• if n = 0, then a £ ANS {Q,T, A k ), otherwise a £ 
ANS (Q,r,A* n ), 

• State)temp) £ A- (for i £ {l,...,n}). 

State)temp) ^ A' k , 
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Additionally, w.l.o.g., let 9 be the corresponding substitu¬ 
tion that evaluates service calls in the transition 


(■ At n,m k ) 


(A'k, m' k ) 


Now, since (A g ,m g , pick Q(p).a{p)} = (. A k ,m k }, 
then pre {pick Q(p).a(p)) £ A k . Moreover, since 
we also have S g = pick Q{p).a(p), by the definition 
of tq and Lemma |38| we have that a! must be ob¬ 
tained from pick Q(p).a(p) and hence we have that 
Q(p) Apre(pick i-a a'(p) £ IT. 


Now, by our assumption above and by Lemma [36] we 
have that A k ~ A\, A\ ~ A - +1 (for i £ {1,... ,n}), 
and A f n ~ A' k , and hence we have A g ~ A*. Since 
A g ~ A* p and Q does not use any special marker con¬ 
cept names, by Lemma 21 we have ANS(Q,T, A g ) = 
ANS(Q,T, AU and hence a £ ANS (Q,T,A g ). Addi¬ 
tionally, considering 


EFF(a') =Eff(«) 

Ujtrue add {post(pick Q(p).a(p))}} 

Ujtrue del (pre(pick 

State(temp)}} 
U{Noop(i) del Noop(s)}, 


Then it is easy to see that we have 


By the definition of tg on the translation of a program 
of the form S-f \S 2 and pick Q(p).a{p), there exists j £ 
{ 1 ,..., n} such that pre(<5i|(> 2 ) £ A j-i> and either 

(a) aj = 7 ^, andpre(i5i) £ A*, or 

(b) a :j = 7 g 2 , and pre(S 2 ) £ A*. 

where 7 ^ and 7 s 2 are the actions obtained from the 
translation of <5i |A 2 by tg, and it might be the case that 
A / i; = A t j _ 1 (if j = 1). Now, by our assumption above 
we have that A k ~ A and hence it is 


36 


and by Lemma 
easy to see that we also have A g ~ A*. Thus, essentially 
we have 

<A‘ m k )^(M, m k )^^¥ 


and 


( At n ,m k ) 


( A 'k, m 'k)’ 


(a) if aj = 7 then (A g ,m g ,8i) = (A*,m fe ) (be¬ 
cause A g ~ Aj, m g = rrik, pre{5\) £ A*-), other¬ 
wise 

(b) if aj = js 2 , then ( A g ,m g ,8 2 ) = (A*,m fc ) (be¬ 
cause A g ~ A‘, m g = m k , pre(5 2 ) £ Aj). 

Therefore by induction hypothesis, it is easy to see that 
the claim is proven by also considering the definition of 
program execution relation. 


ADD aa = ADD^ \ post (pick Q(p).a{p)), 

and hence 

CALLS (ADd£») = CALLS (ADD^J 

and 9 £ calls (addict)- Since m' k = 9 U m k , m k = 
rn g and 9 £ CALLS (addict), we can construct m' g = 
9\Jm g . Thus, it is easy to see that there exists (A' g , m' g , e) 
such that 

( A g, m s , pick Q(p).a(p)) aaJs > (A' g ,rri g ,e ), 

(with service call substition 9) and A' g ~ A' k (by con¬ 
sidering how A' k is constructed), m' g = m! k . More¬ 
over, by the definition of tg (in the translation of an 
action invocation) we also have pre{e) £ A' k (because 
posf(pick Q{p).a{p)) = pre(e)). Thus the claim is 
proven. 

Inductive case: 

[ 8 g = <5i|A 2 ]- Assume that there exist states (A' k ,m' k ) and 
(A*, m k ) (for i £ {1,..., n}, and n > 0) such that 
(A k ,m k )^(A{,m k )^... 

■■■ ^ ( At n,m k ) (Afc, m' k ) 

where 

• <j e is an empty substitution, 

• a* £ T+ (for i £ { 1 ,..., n}), 

• a! £ r~, 

• Qiv) !->• ot'(p) £ IT, 

• if n = 0, then a £ ANS (Q, T, A k ), otherwise a £ 
ANS (Q,T,A^), 

• Stat e(temp) £ A\ (for i £ (1, ...,n}), 

State(femp) ^ A' k , 


[ 8 g = <5i;< 5 2 ]. Assume that there exist states ( A' k ,m' k ) and 
(. A\,m k ) (for i £ { 1 ,..., n}, and n > 0 ) such that 
(Afc, m k ) - ¥ (. A\,m k )- ¥ ■ ■ ■ 

> ( A 'k, m 'k) 


where 


^ { A n,m k ) 


• a e is an empty substitution, 

• a t er+ (for i £ { 1 ,..., n}), 

• a 1 £ T-, 

• Qip) !->• a'ip) £ n', 

• if n = 0, then a £ ANS (Q, T,A k ), otherwise a £ 
ANS (Q,T,J%), 

• State(femp) £ A- (for i £ {l,...,n}), 

State(femp) ^ A' k , 


By the definition of tg on the translation of i) |; 82 and 
pick Q(p).a(p), as well as Lemma 39 then there are two 
cases: 


(a) there exists j £ {1 ,..., n} such that pre(Si) £ A*-, 
and post (<5i) ^ A\ for l £ {j + 1,..., n} (capturing 
the case when (A g , m g , <5i) is not a final state). 

(b) there exists j £ — 1 } and l £ {j + 

1 ,n} such that pre{ 8 \) £ A*, post{Si) £ A\, 
pre( 8 2 ) £ A*, post(Si) = pre(S 2 ) (capturing the 
case when (A g , m g , Si) £ F). 


Now, by our assumption above and by Lemma 36 
have that 


- For the case (a): A k ~ A*-, and hence it is easy to see 

that we also have A g ~ A*. Thus we have that 

{A g ,m g ,Si) = (A*,m fe ). 

- For the case (b): A k ~ A*, and hence it is easy to see 

that we also have A g ~ A). Thus we have that 

(■ A g ,m g , 8 2 ) = ( A\,m k ). 
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Therefore by induction hypothesis, it is easy to see that 
the claim is proven by also considering the definition of 
program execution relation. 

[ 8 g = if ip then <5i else < 5 - 2 ]. Assume that there exist states 

(A' k , m' k ) and (A*, m k ) (for i £ { 1 ,..., n}, and n > 0) 

such that 

(A k ,m k )^(A\,m k )^--- 

(Alm k ) (A’ k ,m’ k ) 

where 

• <r e is an empty substitution, 

• on £ T+ (for i £ { 1 ,..., n}), 

• a! e r~, 

• Qip) ^ dip) e n 7 , 

• if n = 0, then a £ ANS (Q, T, A k ), otherwise cr £ 
ANS (Q.T.AJ,), 

• Stat e(temp) £ A\ (for i £ {l,...,n}), 

Stat e(temp) qL A' k , 

By the definition of tg on the translation of a 
program of the form if p then A| else 62 and 
pick Q{p).a(p), there exists j £ {1,..., n} such that 
pre( if ip then i5i else 62 ) £ Aj_ x and either 

(a) atj = 7 if, pre( 6 i) £ A*-, and ANS(y;, T, A*_ 1 ), or 

(b) aij = j e i se , pre(S 2 ) £ A), and ANS(<p, T, A)^). 

where 7 jf and 7 e z S e are the actions obtained from the 
translation of if <p then <?! else 82 by tg and it might 
be the case that A k = A t j _ 1 (if j = 1). Now, by our 
assumption above and by Lemma[36j we have that A k ~ 
Aj, and hence it is easy to see that we also have A g ~ A*. 
Thus, essentially we have 

{A)_ x ,m k )^{A),m k )^^--- 

^ (Alm k ) ^ (A' kl m' k ), 

and 

(a) if ay = 'Yif , then (A g ,m g ,S 1 } = (A‘,m fc ) (be¬ 
cause A g ~ Ap m g = m k , pre {8 1 ) £ Aj), other¬ 
wise 

(b) if aj = 7 else, then ( A g ,m g , 8 2 ) = (A*.,m fe ) (be¬ 
cause A g ~ A*, m g = m k , pre{ 82 ) £ A*). 

Therefore by induction hypothesis, it is easy to see that 
the claim is proven by also considering the definition of 
program execution relation. 

= while ip do A ]. Assume that there exist states 

(A' k , m! k ) and (A-, m k ) (for i 6 {l,...,n}, and n > 0) 

such that 

(A k ,m k )^(A{,m k )^... 

••• (Ai,m k ) ^ {A' k , m' k ) 

where 

• <j e is an empty substitution, 

• ai £ T+ (for i £ { 1 ,..., n}), 

• a! £ T“, 

• Qip) !->• 01'(p) £ n', 

• if n = 0, then a £ ANS(Q, T, A k ), otherwise a £ 
ANS (Q.T.A*,), 

• State(temp) £ A\ (for i £ {l,...,n}), 

State(iemp) A' k , 


By the definition of tg on the translation of a program of 
the form while <p do <5i and pick (f{p).o(p), there exists 
j £ {1,..., n} such that 


• Q-j = 'ydoLoop (IdoLoop is the action obtained during 
the translation of while p do <5i by tg), 

• pre(while p do <5i) £ A*_ 1 (where A*_ 1 = A k 
when j = 1), and 

• pref 5i) £ A*. 

r ^' we 


Now, by our assumption above and by Lemma 36 


have that A k ~ A‘, and hence it is easy to see that 
A g ~ Aj. Thus, essentially we have 

(A* 


Ot n (T e 
- > 


( At n,m k ) 


( A 'k’ m k)’ 


and (A g ,m g , 8 1 ) = (A*, mk) (because A g ~ A‘, 
m g = m k , pre( 8 1 ) £ A*). Therefore by induction hy¬ 
pothesis, it is easy to see that the claim is proven by also 
considering the definition of program execution relation. 


□ 


Now we will show that given a state s g of an S-GKAB 
transition system and a state s k of its corresponding S-KAB 
transition system such that s g is mimicked by s k , then we have 
Sg and s k are J-bisimilar. Formally this claim is stated and 
shown below. 

Lemma 42. Let Q be an S-GKAB with transition system Tg s , 
and let Tg{Q) be an S-KAB with transition system Tr g (g) 
obtained from Q through Tg. Consider a state (A g ,m g , S g ) 
of Tg and a state ( A k ,m k ) 0 ff'rg(gy If ( A g,m g ,Sg) = 
{A k ,m k ) then (A g ,m g ,S g ) ( A kl m k ). 

Proof. Let 

• g = <T,A 0 ,r,£}and 

T g s = ( A , s 0g , abox g , => g ), 

• T gig) = (T,A' 0 ,r, II'}, and 

^rg(P) = Sofci nbox k , 

We have to show: 

(1) for every state (A' g ,m' g ,8' g ) such that (. A g ,m g ,8 g ) => g 

iA' g ,m' g ,8' g ), there exist states ( A' k ,m k ), 

( A\,m k )... (A^, m k ) (for n > 0) with 

i A k ) ttt k ) == r* k (Aj , Tfl k ) =r. k 

i A n i m k) ( A k i m k) 

such that: 

(a) State(femp) fL A' k , State(femp) £ A* for i £ 
{1,..., n}, and 

(b) (A'g,m'g,S' g ) ^ (A' k ,m' k ). 

(2) for every state (A' fc , rn k ) such that there exist states 

(A*, toi) ... (A^, m n ) (for n > 0) and 

i A k . ttl k } =r . k iA l , ITlf) =r .k * * * 

(A n , m n ) i A k , m k ) 

where State(femp) ^ AJ., and State(iemp) £ A* for 
i £ {1,..., n}, then there exists a state (A g , m g , i5 g ) with 
(■ A g ,m g ,S g ) => g ( A' g ,m' g ,8 ' g ) such that {A' g ,m' g ,8' g ) ^ 

( A k’ m k)- 
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Prooffor(l): Assume ( A g ,m g ,5 g ) => (A', m' g , 5' g ), then 
by the definition of GKABs transition system we have 

(A g , m g , S g ) {A' g ,m' g ,S' g ). 

Additionally, it is easy to see that A' g is T-consistent. By 
there exist states (. A\,m k ), and actions a, 
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Lemma 

(for i £ *{TC ..., n}, where n > 0) such that 

• (A k ,m k ) aia - e > (A[,m k ) 


where 

- o' e is an empty substitution, 

- a' is obtained from a through tg , 

- State(femp) € A\ (for i e {1, 
State(femp) ^ A' k 

• {A' g ,m' g ,5' g ) “ {A' k ,m' k ), 

Additionally, since A' g is T-consistent and A' g ~ A' k then 
A' k is T-consistent. As a consequence, we have that the 
claim is easily proven, since by the definition of S-KABs 
standard transition systems, we have 


(A k ,m k ) 


> k (A\, ttlf) • • • 

^■fc (^ni m k) 


>k (A' k ,m'k) 


where 

(a) State(femp) ^ A k , and State((emp) £ A\ for i £ 
{ 1 ,..., n}, and 

(b) (A' g ,m' g , 6 ' g ) =* (A' k ,m' k ), 

Proof for (2): Assume 

(A k , ITlk) ^k (A\, ttl k ) ^k * ' * 

• • • =^k (A^, m k ) (A' k , m’ k ) 
where n > 0, Stat e(temp) ^ A' k , and State(iemp) £ 
A\ for i £ {1, ..., n}. the definition of S-KABs transi¬ 
tion systems, then we have 

{A k ,m k )^(A\,m 1 )^--- 

...^ { Alm n )^(A' k ,m' k ). 

For some actions a', cti (for i £ {1,, n \), and sub¬ 
stitutions a', Ui (for i £ {1,..., n}). Let T+ (resp. T“) 
be the set of temp adder (resp. deleter) actions of rg(Q), 
since State(femp) ^ A' k , and State) temp) £ A* for 


i £ {1,..., n}, by Lemmas 36 and El we have that 

• cjj is an empty substitution (for i £ {1,..., n}). 

• o.i £ (for i £ {1,..., n}), and 

• a' £ 

• there exists an action invocation pick Q(p).a(p) 
that is a sub-program of 5 such that a' is obtained 
from the translation of pick Q(p).a(p) by tg, 

• ai (for i £ {1,..., n}) does not involve any service 

calls, and hence irii = (for i £ {1,..., n — 

!})■ 

Therefore, by Lemma 41 then there exists a state 

(A' g , m' g , S g ) such that 


(A 


91 


m 


■ g ,S g )^(A' g ,m' g ,6' g ), 


• a' is obtained from the translation of a certain action 
invocation pick Q(p).a(p) via tg. 

• (K,rn'8') = (A' k ,rn' k ). 


Since ( A g ,m g ,S g } aa ' fs > (A' g ,m' g , 5 g ), by the def¬ 
inition of GKABs transition systems, we have that 
(A g ,m g ,5 g ) => (A'g, m'g, 5' g ). Thus it is easy that the 
claim is proven since we also have that (A' g , m' g , 5' g ) = 

( A 'k’ m 'k)- 

□ 


Having Lemma[42]in hand, we can easily show that given an 
S-GKAB, its transition system is J-bisimilar to the transition 
system of its corresponding S-KAB that is obtained via the 
translation rg. 

Lemma 43. Given an S-GKAB Q, we have T g s ^ g (g) 
Proof. Let 

1. Q= (T,A 0 ,T,6),<md 

T g S = ( A > so g , abox g , => g ), 

2. rg(Q) = (T, Aq,T', n'), and 

A-g(P) = ( A > A ^ki Sofci e,box k , ^k) 

We have that s 0g = (An m gi $g) and s ok = (Ag, rn k ) where 
m 9 = m k = 0. Since A' 0 = A 0 U {Flag(starf)}, and Flag is 
a special vocabulary outside the vocabulary of T, hence Aq ~ 
A 0 . Now, by Lemma [30] we have pre(5 ) = Flag(starf) and 
post(5) = Flag(end). Furthermore, since Flag(sforf) £ Ag, 
then we have sg g = sg^. Hence by Lemma [42] we have 
s 0g ~J Sgfc. Therefore, we have T^ s □ 


Having all of these machinery in hand, we are now ready to 
show that the verification of properties over S-GKAB s 

can be recast as verification over S-KAB as follows. 

Theorem 44. Given an S-GKAB Q and a closed pC E ^ L prop¬ 
erty ( 1> in NNF, 

T g s b $ if andonl y 'f T Tg(g) b hi®) 


Proof. By Lemma 
by Lemma 
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43 


we have that T, 


fs 


■jj T s , r ,. Hence, 

1 rg(S) 


have that for every //T'b property $ 


T e /s b $ A and only if Yf g(g) |= f,( $ ) 


□ 


Proof of Theorem |3] 

The proof of Theorem [3] is then essentially a consequence of 
Theorem l44l 

D From B-GKABs to S-GKABs 

This section aims to show that the verification of /i£^ L prop¬ 
erties over B-GKABs can be recast as verification over S- 
GKABs. Formally, given a B-GKAB Q and a p£ l 1 <-,L formula 

<F, we show that Y g B \= $ if and only if b/Ae) b t b ($) 
(This claim is formally stated and proven in Theorem [57]). To 
this aim, our approach is as follows: we first introduce a notion 
of Leaping bisimulation (L-Bisimulation) and show that two 
L-bisimilar transition systems can not be distinguished by any 
pC E \ E properties modulo the translation t/s- Then, we show 
that the b-repair program is always terminate and produces 
the same result as the result of b-repair over a knowledge base. 
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Using those results, we show that given a B-GKAB, its transi¬ 
tion system is L-bisimilar to the transition of its corresponding 
S-GKAB that is obtained through the translation t/>. As a 
consequence, using the property of L-bisimulation, we have 
that they can not be distinguished by any //£ , |' )I properties 
modulo the translation ts- 

D.l Leaping Bisimulation (L-Bisimulation) 

We define the notion of leaping bisimulation as follows. 

Definition 45 (Leaping Bisimulation (L-Bisimulation)). 

Let T\ = (A,T, Si,soi, aboxi,=>i) and T ' 2 = 
(A, T, E 2 , S 02 , abox 2 , => 2 ) be transition systems, with 
ADOM(ak>a:i(soi)) C A and ADOM(a 6 o:r 2 (so 2 )) C A. A 
leaping bisimulation (L-Bisimulation) between T\ and T 2 is a 
relation B C Si x E 2 that (si, s 2 ) G B implies that: 

1 . abox\{s\) = aboX 2 {s 2 ) 

2 . for each s^, if si =>1 s'{ then there exist s' 2 , s 2 , t\ r .t n 
(for n > 0 ) with 

32 =>2 s ' 2 =>2 tl => 2 • • • =>2 t n =>2 82 

such that {s",s 2 ) G B, M {rep) ^ aboX 2 (s 2 ) and 
M (rep) G abox 2 {ti) for i G {1,..., ?r}. 

3. for each s 2 , if 

S2 =>2 S 2 =>2 tl =>2 • • • =>2 t n =>2 3 2 

(for n > 0) with M(rep) G abox 2 {ti) for iG {1,..., n} 
and M(rep) ^ abox 2 {s 2 ), then there exists s" with 
si =>1 s", such that (s", s 2 ) G B. 

■ 

Let Ti = (A,T, Ei,Soi, aboxi,=>i) and X 2 = 

(A, T, E 2 , S 02 , abox 2 , => 2 ) be transition systems, a state si G 
Ei is L-bisimilar to S 2 G E 2 , written si ~ L S 2 , if there exists 
an L-bisimulation B between 7\ and X 2 such that (si, S 2 ) G B. 
A transition system T\ is L-bisimilar to T 2 , written T\ ~ L T 2 , 
if there exists an L-bisimulation B between T\ and T 2 such 
that (soi, S 02 ) G B. 

Now, we advance further to show that two transition systems 
which are L-bisimilar can not be distinguished by any pC ^ L 
formula (in NNF) modulo the translation ts which is defined 
in detail as follows: 

Definition 46 (Translation / /> ). We define a translation t.B 
that transforms an arbitrary pC E ^ L formula $ (in NNF) into 
another p.C E ^ E formula <!>' inductively by recurring over the 
structure of $ as follows: 

•tB{Q) = Q 

• tB{~ , Q) = Q 

• ts(Qa;.4>) = QxXb (4>) 

• f ; s( < l > l 0 $2)= fs($l) 0 fs(‘l > 2) 

• tB(®Z.<&) = @Z.tB(Q) 

•ts ((->$) = 

{-}{-} pZ.((M(rep) A {~)Z) V (- 1 M (rep) Af s (<£>))) 

• ts([-]$) = 

f-][-]/uZ.((M(rep) A f-jZ A (-)T) V (-iM(rep) Ats(<f>))) 

where: 

• o is a binary operator (V, A, -A, or aa), 

• © is least (p) or greatest (v) fix-point operator. 


• Q is forall (V) or existential (3) quantifier. 

■ 

Lemma 47. Consider two transition systems 
Ti = (A, T, Ei, Soi, aboxi, => 1 ) and T 2 = 

(A, T, E 2 , S 02 , abox 2 , => 2 ). with ADOM(aboxi(soi)) C A 
and ADOM(abox 2 {s 0 2 )) C A. Consider two states Si G Ei 
and s 2 G E 2 such that si ~ L s 2 ■ Then for every formula $ 
of pC E ^ L (in negation normal form), and every valuations 
Vi and V 2 that assign to each of its free variables a constant 
Ci G ADOM(a&oa;i(si)) and C 2 G ADOM(a 6 oa: 2 (s 2 ))> such 
that ci = C 2 , we have that 

Ti, si |= <f>i>i if and only ifT 2 , S 2 \= 2 - 

Proof. The proof is then organized in three parts: 

(1) We prove the claim for formulae of £^ L , obtained from 
/i£ E ( QL by dropping the predicate variables and the fixpoint 
constructs. C corresponds to a first-order variant of the 
Hennessy Milner logic, and its semantics does not depend 
on the second-order valuation. 

(2) We extend the results to the infinitary logic obtained by 
extending C with arbitrary countable disjunction. 

(3) We recall that fixpoints can be translated into this infinitary 
logic, thus proving that the theorem holds for pC E ^ E . 

Proof for We proceed by induction on the structure of 

<K without considering the case of predicate variable and of 
fixpoint constructs, which are not part of C E j QL . 

Base case: 

($ = <3). Since Si ~ L s 2 , we have aboxi(si) = 
abox 2 (s 2 ). Hence, we have ans(Q, T, aboxi(si)) = 
ANS(Q, T, abox 2 {s 2 )). Hence, since ts{Q) = Q, for 
every valuations v-\ and v 2 that assign to each of its 
free variables a constant ci G ADOM(a&oa:i(si)) and 
C2 G ADOM(a6oa;2(s2)), such that ci = C2, we have 

Ti, si \=Qv 1 if and only if T 2 , s 2 \=t B {Q)v 2 . 

(<l> = - 1 Q). Similar to the previous case. 

Inductive step: 

($ = $1 A T , 2 ). Ti,si 1= (T'i A ^ 2)^1 if and only if ei¬ 
ther Ti,Si |= ’I'li’i or Ti,Si 1 = ^ 2 ^ 1 - By induc¬ 
tion hypothesis, we have for every valuations v-\ and 
V 2 that assign to each of its free variables a constant 
Ci G ADOM(a6oa;i(si)) and c 2 G ADOM(a&oa;2(s2)), 
such that Ci = C 2 , we have 

- Ti,si (= T'iUi if and only if T 2 ,s 2 |= Lb('Fi)u 2 , 
and also 

- Ti,si 1 = 'S? 2 vi if and only if T 2 , s 2 |= Lb('F 2 )tt 2 - 
Hence, T\, si |= ’Flu! and Y\, si |= \F 2 V 1 if and only if 
T 2 ,s 2 h i)v 2 and T 2 , s 2 |= t B {^ 2 )v 2 - Therefore 
we have Ti, Si |= (d/i A 'I , 2)vi if and only if T 2 , S2 \= 

1 ) A tB(f^ 2 ))v 2 - Since (b((1/i A ^2) = Ib{^i) A 
tsi'k 2)1 we have 

Ti, si |= ('Ll A 'F 2 )i’i iff T 2 , s 2 1 = t B {^i A ^2)^2 

The proof for the case of $ = TL V (I/ 2 . ‘F = T'i -A 'F 2 . 
and $ = T'i -fA d /2 can be done similarly. 


24 



(<f> = (—)\E r ). Assume T}, Si \= ((—where v\ is a valu¬ 
ation that assigns to each free variable of ^ a constant 
Ci £ ADOM(aboxi(si)). Then there exists s" such that 
si =>i s" and 7\,s" \= d/Ui. Since si ~ L S 2 , there 
exists s 2 , s 2 , fi,..., t n (for n > 0 ) with 

S 2 =^2 S 2 =>2 t\ = **2 ■ ‘ ■ = ^2 t n =5*2 S 2 

such that s" ~ L S 2 , M(rep) £ 060 x 2 (L) for i £ 
{l,...,n}, and M(rep) abox 2 {s 2 ). Hence, by in¬ 
duction hypothesis, for every valuations V 2 that assign 
to each free variables x of t n (T) a constant C 2 £ 
ADOM(afeoa: 2 (s 2 )), such that Ci = C 2 and x/c\ £ v\, 
we have T 2 , s 2 |= ts(^ 1)^2 • Considering that 

s 2 =>2 s 2 => 2 ft =>2 • ■ ■ =>2 t n =>2 s 2 

(for n > 0), M(rep) £ abox 2 {ti) fori £ (1, ...,n}, 
and M(rep) ^ abox 2 (s 2 ). We therefore get 

r 2 ,s 2 h= ((-)(-)/rZ.((M(rep) A (->Z)V 

(-iM(rep) A feW)))^- 

Since 

**«->*) = (^(-^.((MCrep) A <->Z)V 

(^M(rep) A f B ($))), 

thus we have 

r 2 ,s 2 1 = Lb ((-)$) ^ 2 - 

The other direction can be shown in a symmetric way. 

(< 1 > = [—]T). The proof is similar to the case of $ = {—) T 
(<f> = 3a;.TO. Assume that Ti,si |= ( 3 x.'f')u}, where v[ 
is a valuation that assigns to each free variable of T 
a constant ci £ ADOM(a&oxi(,Si)). Then, by defi¬ 
nition, there exists c £ ADOM(a&oxi(si)) such that 
Ti,si |= Tvi, where iq = t;}[a;/c]. By induction hy¬ 
pothesis, for every valuation V2 that assigns to each free 
variable y of £b('I') a constant C2 £ ADOM(a6oX2(s2)), 
such that ci = C2 and y/c\ £ V] , we have that 
T2, S2 |= fs(i l’)v2- Additionally, we have V2 = v 2 [x/d\, 
where d £ ADOM(a6ox2(s2)), and d = c because 
abox 2 {s 2 ) = abox\(si). Hence, we get T 2 ,S2 |= 
( 3 x.tB(^))v 2 . Since fs( 3 x.$) = 3 x.fs( 4 >), thus we 
have r 2 ,s 2 \= ts(^x.^)v ' 2 
The other direction can be shown similarly. 

(<f> = Vx.T'). The proof is similar to the case of <f> = 3x.'T. 
Extension to arbitrary countable disjunction. Let T 1 be a 
countable set of £ EQL formulae. Given a transition system T = 
(A, T, E, so, abox , =>), the semantics of \/ T 1 is (\/ = 

• Therefore, given a state s £ E we have T, s |= 
(V if and only if there exists if £ T such that T, s \= ipv. 
Arbitrary countable conjunction can be obtained similarly. 

Now, let T\ = (A,T, Ei,soi,a 6 oxi,=>i) and X 2 = 
(A, T, E 2 , so 2 , abox 2 , => 2 )- Consider two states si £ Ei 
and s 2 £ E 2 such that si ~ L s 2 - By induction hypothe¬ 
sis, we have for every valuations v± and V 2 that assign to each 
of its free variables a constant ci £ ADOM(a&oxi(si)) and 
C2 £ ADOM( abox2(s2)), such that C2 = ci, we have that 
for every formula ?/; £ T, it holds T-\. s \ |= yjvi if and only 
if T 2 ,s 2 |= tB{i>)v 2 - Given the semantics of V d/ above. 


this implies that Ti,s |= (\J d/)ui if and only if 72 ,s |= 
(V tB(i&))v 2 , where t B (d>) = {Lb WO I ^ S dr}. The proof 
is then obtained by observing that \J fs(d/) = fs(V d 1 )- 

Extension to full In order to extend the result to 

the whole j)C V y >[ ', we resort to the well-known result stat¬ 
ing that fixpoints of the //-calculus can be translated into the 
infinitary Hennessy Milner logic by iterating over approxi- 
mants , where the approximant of index a is denoted by p a Z.<& 
(resp. u a Z. d>). This is a standard result that also holds for 
//L 1 }^ 1 . In particular, approximants are built as follows: 

p°Z. d> = false v° = true 

pP +1 Z.$ = v 0 + 1 Z.$ = <S>[Z/v 0 Z.<$>] 

p x z.$ = \/ p<x p 0 Z.$ u x ZA> = A/ 3 <a u ^Z.® 

where A is a limit ordinal, and where fixpoints and their ap¬ 
proximants are connected by the following properties: given a 
transition system T and a state s of T 

• s £ (pZ.$) v v if and only if there exists an ordinal a 
such that s € (p a Z.3>) v v and, for every /3 < a, it holds 
that s i (p 0 Z.<f>)*y, 

• s (j (uZA>)l x/ if and only if there exists an ordinal a 
such that s £ {v a Z.Q) v v and, for every /3 < a, it holds 
that s £ {v 0 Z.§) 1 y. 

□ 

As a consequence, from Lemma [47] above, we can easily 
obtain the following lemma saying that two transition systems 
which are L-bisimilar can not be distinguished by any /i£ EQL 
formula (in NNF) modulo a translation t/j. 

Lemma 48. Consider two transition systems 
Y\ = (A, T, Ei, S01, aboxi, =>1) and T 2 = 

(A, T, E 2 , S 02 , abox 2 , => 2 ) such that Y\ ~ L T 2 . For 
every closed p£ E ® L formula $ in NNF, we have: 

Yi \= 4> if and only ifY 2 |= ts{ d>). 

Proof Since by the definition we have soi ~l S 02 , we obtain 
the proof as a consequence of Lemma[47]due to the fact that 

Ti,s 0 i H $ if and on ly if T2 ,s 0 2 \= fs($) 

□ 

D.2 Termination and Correctness of B-repair 
Program 

We now proceed to show that the b-repair program is always 
terminate and produces the same result as the result of b-repair 
over a knowledge base. To this aim, we first need to introduce 
some preliminaries. Below, we prove that every execution 
steps of a b-repair program always reduces the number of 
ABox assertions that participate in the inconsistency. Formally, 
it is stated below: 

Lemma 49. Given a TBox T, a T-inconsistent ABox A, a 
service call map m, and a set F/} of b-repair action over 
T. Let a £ be an arbitrary b-repair action, and a be a 
legal parameter assignment for a. If((A,m),aa, (A',mf)) £ 
tell/ s , then |inc(A)| > |inc(A')|. 
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Proof. We proof the claim by reasoning over all cases of b- 
repair actions as follows: 

Case 1: The actions obtained from functionality assertion 
(funct R) G Tf. 

Let a F be such action and has the following form: 

a F (x, y) : {R(x, z ) A ->\z = y] del {R(x, z)}}. 

Suppose, a F is executable in A with legal parameter 
assignment a. Since we have 

pick 3^.^ nsat ((funct R),x,y,z).a F (x,y) G Ajf, 

then there exists c G ADOM(A) and 

{ci, C2, C3, ... c n } C adom(A) such that 
{R{c, ci), R(c, of ),..., R(c, c„)} C A where n > 2. 
W.l.o.g. let a substitute x to c, and y to c\, then 
we have ((A, to), aa, (A 1 , to)) G tellj s , where 
A! = A \ {R(c, C2), ■ • ■, R(c, c n )}. Therefore we have 
| INC (A) | > |inc(A')|. 

Case 2: The actions obtained from negative concept B\ C 
R 2 such that T |= Bj C ~^B 2 . Let a Bl be such action 
and has the following form: 

a Bl {x) : {true del (cc)}}. 

Suppose, a Bl is executable in A with legal parameter a. 
Since we have 

pick Csat(£i E ->B 2 ,x).a Bl (x) G A l, 

then there exists c G A DOM (A) such that 
{Bi(c), B 2 (c)} C A. W.l.o.g. let a substitute x 
to c, then we have ((A,m),aa,{A',m)) G TELL/ S , 
where A! = A \ {Bi(c}. Therefore we have 
|inc(A)| > |inc(A')|. 

Case 3: The actions obtained from negative role inclusion 
Ri IZ -if?2 s.t. T |= R \ C —1-R2- The proof is similar to 
the case 2. 

□ 

Having Lemma[49]in hand, we are ready to show the termi¬ 
nation of b-repair program as follows: 

Lemma 50. Given a TBox T, and a filter fg. A b-repair 
program 5^ over T is always terminate. I.e., given a state 
(A, m, 5^), every program execution trace induced by 5^ on 
(A, m, Sfr) w.r.t. filter fg is terminating. 

Proof. We divide the proof into two cases: 

Case 1: A is T-consistent. 

Trivially true, since ANS(<5^ sat ,T, A) = false, we have 
(A, m, 5^) G F, by the definition. 

Case 2: A is T-inconsistent. 

Given a state (A, m, 5^) such that A is T-inconsistent, w.l.o.g. 
let 


7T = (A, m, Sf) -a (Ai, m , <5i) -a (A 2j m, 5 2 ) -a • • • 

be an arbitrary program execution trace induced by Sj on 
(A, m, 5b) w.r.t. filter fg. Notice that the service call map 
to always stay the same since every b-repair action a- G Y[ 


(which is the only action that might appears in Sj) does not in¬ 
volve any service calls. Now, we have to show that eventually 
there exists a state (A„, to, 5 n ), such that 

tf = (A, to, 5f) ->■ (A ll m 1 5 1 ) -A-> ( A n ,m,5 n ) 

and (A„, to, 6 n ) G F. By Lemma |49} we have that 

|inc(A)| > |inc(Ai)| > |inc(A 2 )| > ■ • • 

Additionally, due to the following facts: 

(1) Since we assume that every concepts (resp. roles) are 
satisfiable, inconsistency can only be caused by 

(a) pair of assertions B\(c) and f? 2 (c) (resp. c 2 ) 

and f? 2 (ci, c 2 )) that violate a negative inclusion as¬ 
sertion f?i C 'B 2 (resp. Ri C -ii? 2 ) such that 
T |= B\ L —1 B 2 (resp. T |= R\ C —1 f? 2 ), or 

(b) n-number role assertions 


R(c, ci), R(c, c 2 ),..., R{c, c n ) 

that violate a functionality assertion (funct R) G T. 

(2) To deal with both source of inconsistency in the point (1): 

(a) we consider all negative concept inclusions Bi C 
—iB 2 such that T \= B\ \Z -B-2 when constructing 
the b-repair actions (i.e., we saturate the negative 
inclusion assertions w.r.t. T obtaining all derivable 
negative inclusion assertions from T). Moreover, for 
each negative concept inclusion Bi C -7A 2 such 
that T |= Bi C —/i 2 , we have an action which 
remove P> \ (c) (for a constant c) in case B\ C —/i 2 
is violated. Similarly for negative role inclusions. 

(b) we consider all functionality assertions (funct R) G 
T when constructing the b-repair actions and 
each a F G Tf removes all role assertions that vio¬ 
lates (funct R), except one. 

(3) Observe that ANS(Q^ sat , T, A n ) = true as long as 
|inc(A)| > 0 (for any ABox A). Moreover, in such 
situation, by construction of A^, there always exists an 
executable action a G T^ (Observe that Q^ sat is a dis¬ 
junction of every ECQ Q that guard every corresponding 
atomic action invocation pick Q(p).a(p) G of each 
a G where each of its free variables are existentially 
quantified). 

As a consequence, eventually there exists A n such that 

|inc(A„)| = 0. Hence by Lemma 13 A„ is T-consistent. 


Therefore ANS(Q{ asat , T, A n ) = false, and (A n ,m,5 n ) G F. 
□ 


We now proceed to show the correctness of the b-repair pro¬ 
gram. I.e., showing that a b-repair program produces exactly 
the result of a b-repair operation over the given (inconsis¬ 
tent) KB. As the first step, we will show that every ABoxes 
produced by the b-repair program is a maximal T-consistent 
subset of the given input ABox as follows. Below we show that 
a b-repair program produces a maximal T-consistent subset 
of the given ABox. 

Lemma 51. Given a TBox T, an ABox A, a sendee call map 
to, a b-repair program 5^ over T and a filter fg, we have 
that if A' G RES(A, to, 5^) then A' is a maximal T-consistent 
subset of A. 
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Proof. Assume that A' £ RES(A, to, <5^). We have to show 
that 

(1) A! C A 

(2) A! is T-consistent 

(3) There does not exists A" such that A' C A" C A and A" 
is T-consistent. 

We divide the proof into two cases: 

Case 1: A is T-consistent. Trivially true, because 
ANS(Qf nsat , T, A) = false, hence (A, to, ) £ F 
and A £ RES(A, to, 8 j). Thus, A trivially satisfies the 
condition (1) - (3). 

Case 2: A is T-inconsistent. Let 

7 r = (A, m,5^) —>■ (A 1; to,< 5i) —)•••• —» (A',to, S') 


Lemma 52. Given a TBox T, an ABox A, a sendee call 
map to and a b-repair program 8 j over T, we have that if 
A ' £ RES(A, m, 5^) then A' £ B-REP(T, A). 


Proof. By Lemma 51 and the definition of B-REP(T, A). □ 


In order to complete the proof that a b-repair program pro¬ 
duces exactly all b-repair results of the given (inconsistent) 
KB, we will show that every b-repair result of the given (in¬ 
consistent) KB is produced by the b-repair program. 

Lemma 53. Given a TBox T, an ABox A, a sendee call map 
to and a b-repair program 8 ^ over T. If A' £ B-REP(T, A), 
then A' £ RES(A, m, 8^). 


be the corresponding program execution trace that 
produces A' (This trace should exists because A' £ 

res(A,to, <5f)). 

For condition (1). Trivially true from the construction 
of b-repair program 8j. Since, each step of the program 
always and only removes some ABox assertions and also 
by recalling Lemma |49| that we have 

|inc(A)| > |inc(Ai)| > |inc(A 2 )| > ■•• 

For condition (2). Since the b-repair program 8j 
is terminated at a final state (. A',m,5') where 
ANS(Q^ sat , T, A') = false, hence A' is T-consistent. 

For condition (3). Suppose by contradiction that there 
exists A" s.t. A' C A" C A and A" is T-consistent. 
Recall that in DL-Lite .4, since we assume that every con¬ 
cepts (resp. roles) are satisfiable, inconsistency is only 
caused by 

(i) pair of assertions -Bi(c) and P 2 (c) (resp. c 2 ) 

and P 2 (ci, c 2 )) that violate a negative inclusion 
assertion B\ C ^P 2 (resp. R\ C -ii? 2 ) s.t. T |= 
B\ C ~^B 2 (resp. T (= f?i C ->i2 2 ), or 

(ii) n-number role assertions 

R(c, ci), R(c, c 2 ),..., R(c, c n ) 

that violate a functionality assertion (funct R) £ T. 
However, by the construction of b-repair program 8^, 
we have that each action a £ I ’J is executable when 
there is a corresponding inconsistency (detected by each 
guard Q of each corresponding atomic action invocation 
pick Q(p).a(p) £ Af) and each action only either 

(i) removes one of the pair of assertions that violate a 
negative inclusion assertion, or 

(ii) removes n —1 role assertions among n role asser¬ 
tions that violate a functionality assertion. 

Hence, if A" exists, then there exists an ABox assertion 
that should not be removed, but then we will have A" is 
T-inconsistent. Thus, we have a contradiction. Hence, 
there does not exists A" such that A' C A" C A and A" 
is T-consistent. 

□ 


From Lemma 51 we can show that every ABox that is 
produced by b-repair program is in the set of b-repair of the 
given (inconsistent) KB. Formally it is stated below: 


Proof. We divide the proof into two cases: 

Case 1: A is T-consistent. Trivially true, because 
B-REP(T, A) is a singleton set containing A and since 
ANS(Q^ sat , T, A) = false, we have (A, to, 8 j) £ F and 
hence RES (A, to, 8 ^) is also a singleton set containing 
A. 

Case 2: A is T-inconsistent. Let A 1 be an arbitrary ABox 
in B-REP(T, A), we have to show that there exists A 2 £ 
res(A, to, 8 ^) such that A 2 = Ai. 

Now, consider an arbitrary concept assertion N(c) £ A\ 
(resp. role assertion P(ci, c 2 ) £ Ai), we have to show 
thattV(c) £ A 2 (resp. T > (ci,c 2 ) £ A 2 ). For compactness 
reason, here we only consider the case for N (c) (the case 
for P(ci, c 2 ) is similar). Now we have to consider two 
cases: 

(a) N(c) does not violate any negative concept inclusion 
assertion, 

(b) N (c), together with another assertion, violate a neg¬ 
ative concept inclusion assertion. 

The proof is as follows: 

Case (a): It is easy to see that there exists A 2 £ 
RES (A, 171 , 8 ^) such that N(c) £ A 2 because by 
construction of 8 ^, every action a £ Pj never 
deletes any assertion that does not violate any nega¬ 
tive inclusion. 

Case (b): Due to the fact about the source of inconsis¬ 
tency in DL-Lite a, there exists 

i. N(c) £ A, 

ii. a negative inclusion N C —B (such that T \= 
N C -iP), and 

iii. P(c) £ A. 

Since N(c) £ A±, then there exists A' l £ 

B-REP(T, A) such that P(c) £ A\. Now, it is easy 
to see from the construction of b-repair program 
8 ^ that we have actions a\, a 2 £ that one re¬ 
moves only N(c) from A and the other removes 
only B(c ) from A. Hence, w.l.o.g. we must have 
A 2 , A ' 2 £ res(A, to, 8 f) such that N(c) £ A 2 but 
N(c ) ^ A ’ 2 and B(c) A 2 but B(c) £ A’ 2 . 

Now, since N{c) is an arbitrary assertion in A, by the two 
cases above, and also considering that the other case can 
be treated similarly, we have that A 2 £ RES(A, to, 8 j ), 
where A 2 = A±. 

□ 
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As a consequence of Lemmas 53 and 52 we finally can 
show the correctness of b-repair program (i.e., produces the 
same result as the result of b-repair over KB) as follows. 


Theorem 54. Given a TBox T, an ABox A, a service call 
map m and a b-repair program 5 b over T, we have that 
res (A,m,5 b ) = b-rep(T, A). 


Proof. Direct consequence of Lemmas 53 and 52 


□ 


D.3 Recasting the Verification of B-GKABs Into 
S-GKABs 

To show that the verification of /i£^' )L over B-GKAB can 
be recast as verification of S-GKAB, we make use the L- 
Bisimulation. In particular, we first show that given a B- 
GKAB Q, its transition system Tg is L-bisimilar to the tran¬ 
sition system of S-GKAB tb(G) that is obtained via 

the translation t b . Asa consequence, we have that both transi¬ 
tion systems Tg and can not be distinguished by any 

pC\ QL (in NNF) modulo the translation tg. 

Lemma 55. Let Q be a B-GKAB with transition system Tg, 
and let t b (G) be an S-GKAB with transition system T^ B ,g^ 
obtain through tb. Consider a state (Ab, mb, 5b ) ofTg B and 
a state (A s ,m. s ,5 s ) of Y^^gy If A s = Ab, m s = mb and 
5 S = kb( 5 b ), then (A b ,m b ,5 b ) ~ L (A s ,m s ,5 s ). 


Since (A b , ADD^flj, DEL^, A") G f B , by the definition 
of fs, there exists A such that A'! G B-REP(T, A' h ), and 
A' b = (A b \ DEL&J U ADD^flft. 

Since 5 S = KB(5 b ), by the definition of k b , we have that 

kb (pick Q(p).a(p )) = 

pick Q(p).a(p); pick true.a^Q; 6 %; pick true.a t ~ mp () 

Hence, the next executable sub-program on state (A s , m si S 3 ) 
is 

5's = pick Q(p).a(p); pick true.a^ mp (); ; pick true.a f _ mp (). 
Now, since 

• ab maps parameters of a G F to constants in ADOM(A b ), 

• A b = A s 

we can construct a s such that a s = a b . Moreover, we also 
know that the certain answers computed over A b are the same 
to those computed over A s . Hence, a G L s is executable in 
A s with legal parameter assignment a s . Now, since we have 
m s = m b , we can construct 6 S such that 0 S = 6 b . Hence, we 
have the following: 

• 9 S and m s agree on the common values in their domains. 

• to" = 8 S U m s = 0 b U m b = m b . 

Let 

K = ( A s \ del ot, ) U add i’ a 0 s , 

as a consequence, we have that 

(A s ,add^ s 0 s ,del^,A' s ) g f s . 


Proof Let 

. G = (T, A 0 , T, 5) and 
Tg B = (A, T, Eft, sob, aboxb, =>■(,), 

• t b (Q) = (T S ,A 0 ,T S ,5 S ) and 
T TB(g) = (A,T s ,'E s ,s 0 s ,abox s ,^ s ). 

We have to show the following: for every state (A". m b , 5 b ) 
such that ( Ab,m.b,5b) => (A", m", <5"), there exists states 
s', and s" such that: 

(a) s => s s' => s t\ => s ... => s t n => s s", where s = 
(A s ,m s ,5 s ), s" = (A”, to", 5”), n > 0, M {rep) £ A”, 
and M(rep) G abox s (ti) for i G {1,...,n}; 

(b) A" = A"; 

(c) to" = m! b , 

(d) S'J = K B (5' b '). 

By definition of Tg B , Since (Ab, m b , 5 b ) => (A' b , m b , 5”), 
we have ( Ab,mb,5 b ) aai ^?y (A b ,m b , 6 b ). Hence, by the 

definition of aabAB > ^ we have: 

• there exists an action a G T with a corresponding ac¬ 
tion invocation pick Q(p).a(p) and a legal parameter 
assignment ab such that a is executable in A b with legal 
parameter assignment ab, 

• ((A b ,m b ),aa b ,(A'l,m b )) G TELL /fJ . 

Since ((A b , m b ),aa b , (A b , m b )) G tell/ b , by the definition 
of TELL f B , there exists 0 b G EVAL(ADD^) such that 

• 0 b and m b agree on the common values in their domains. 

• m b = m b U 0 b . 

. (A 6 ,ADD^0 6 ,DEL^ b ,A") G f B . 

• A'l is T-consistent. 


Since A s = A b , a s = a b and 0 S = 0 b , it follows that 

• DEL^ = DEL^, and 

• add ^0 s = add ^ b 0 b . 

Hence, by the construction of A' s and A' b above, we have 
A' b = A' s . By the definition of tb, we have T s = T p 
(i.e., only positive inclusion assertion of T), hence A' s is 
T s -consistent. Thus, by the definition of TELLy a , we have 
((A s ,m s ),ota s , (A' s , to")) G TELL/ a . Moreover, we have 

(A s ,m s , pick Q(p).a(p)-,5o) aasJ - s > (A' s ,m",5 0 ) 

where <5 0 = pick true.a t + mp (); ; pick true.a t _ mp (). 

Now, we need to show that the rest of program in 5' s that 
still need to be executed (i.e., <5 0 ) will bring us into a state 
(A", to", 6 ") s.t. the claim (a) - (e) are proved. It is easy to 
see that 

(Ag, to", 5 q ) - LpaiJ -> (Ai.m^r) 

where 5\ = 5 b ; pick true.a^pQ. Since di does not involve 
any service calls, w.l.o.g. let 

7T = (Ai, to", 5i) -a (A 2 , to", S 2 ) -a • • • 

be a program execution trace induced by <5i on (Ai, to", c)|). 
By Lemma [50| and Theorem [54] we have that 

• 5 b is always terminate, 

• 5 b produces an ABox A„ such that A„ G B-REP(T, Ai), 
additionally, by the construction of 5 b and af mp , we have that 

• 5 b never deletes M(rep), and 

• a tmp only deletes M(rep) from the corresponding ABox, 
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therefore, there exists (A”, to", 5) such that 

7T = (A' s , to", So) -> (Ai , to", 

•••—>■ {A n , m”,5 n ) —)■ (A", to", (> n +i) 

where 

• M(rep) ^ A", 

• M(rep) £ Ai (for 1 < i < n), 

• (A",m'',S n +i) & F 

• A n £ b-rep(T, /1|) (by Theorem [54| 

• A" £ b-rep (T,A' b ) (Since A' b = A' s , A' s = A x \ 
M(rep), A” = A n \ M(rep), A n £ B-REP(T, A\), and 

1 (rep) is a special marker). 

we have 


W.l.o.g., by Theorem 54 

(A; 


A" = A". Since 
, to", <5„+i) £ F, weTiave finished executing S' s , and by 
the definition of kb the rest of the program to be executed is 

Therefore, we have shown that there exists s ', s ", fi,... ,t n 
(for n > 0 ) such that 


ti 


t n 


where 

• s = (A s , m s ,S s ), s" = {A", to", 6”), 

• M(rep) ^ A'', and 

• M(rep) £ aboxi(ti) for i £ {1,..., n}; 

• K = K 

The other direction of bisimulation relation can be proven 
symmetrically. 

□ 


E From C-GKABs to S-GKABs 

We devote this section to show that the verification of pC 
properties over C-GKAB can be recast as a correspond¬ 
ing verification over S-GKAB. Formally, given a C-GKAB 
Q and a //£ l ; l ( ' )L formula <t>, we show that Tg C |= $ iff 
|= t dup i®) (This claim is formally stated and proven 
in Theorem |73[>. The core idea of the proof is to use a cer¬ 
tain bisimulation relation in which two bisimilar transition 
systems (w.r.t. this bisimulation relation) can not be distin¬ 
guished by any pC E ^ L properties modulo the formula trans¬ 
lation tdup- Then, we show that the transition system of a 
C-GKAB is bisimilar to the transition system of its corre¬ 
sponding S-GKAB w.r.t. this bisimulation relation, and as a 
consequence, we easily obtain the proof that we can recast the 
verification of pC E ( QL over C-GKABs into the corresponding 
verification over S-GKAB. To this purpose, we first introduce 
several preliminaries below. 

We now define a translation function kc that essentially 
concatenates each action invocation with a c-repair action in 
order to simulate the action executions in C-GKABs. Addi¬ 
tionally, the translation function kc also serves as a one-to-one 
correspondence (bijection) between the original and the trans¬ 
lated program (as well as between the sub-program). Formally, 
given a program <5 and a TBox T, the translation k c which 
translate a program into a program is defined inductively as 
follows: 


Having Lemma[55]in hand, we can easily show that given 
a B-GKAB Q, its transition system Tg is L-bisimilar to the 
transition of S-GKAB tb(Q) (which is obtained via 

the translation tb). 

Lemma 56. Given a B-GKAB Q, we have Tl B T* s , r . 

9 L t b (9) 


Proof. Let 

1 . g = (T,A 0 ,T,5 b ) md 

r g B = (A, T i So b, abox b , => fe ), 

2. r B {G) = (T s , A 0 ,r s ,<S s ), and 

^TbIQ) = (A3 Tig, S()S5 tt6oX s , =r* s ). 

We have that s 0 b = (A 0 ,TO b ,<5 b ) and s 0s = (A 0 ,m Sl S s ) 

where mb = m s = 0. By the definition of tb, we also 
have 5 S = KsiS b ). Hence, by Lemma 55 we have s ob ~l 
sos- Therefore, by the definition of L-bisimulation, we have 

T S‘ Plm G 


With all of these machinery in hand, we are now ready to 
show that the verification of jiC l \ )l over B-GKABs can be 
recast as verification over S-GKAB as follows. 

Theorem 57. Given a B-GKAB Q and a closed p£ E ® L for¬ 
mula $ in NNF, 

T g B h * WT% (g) b t B (< 3>) 


K C (pick Q(p).a(p)) = pick Q{p).a(p); pick true.aj() 

n c (e) = £ 

Kc(£l|$2) = K C (Si)\k C (S2) 

Kc(h;S 2 ) ^ = ^c{5i)]^c{5 2 ) 

Kc(if P then Si else S 2 )= if ip then kc(Si) else kc{S 2 ) 

kc (while ip do (5) = while ip do kc{5) 


where of is a c-repair action over T. 

Next, we formally define the translation tdup that transform 
)iC E< { >1 properties $ to be verified over C-GKABs into the 
corresponding properties to be verified over an S-GKAB as 
follows. 


Definition 58 (Translation t dup ). We define a translation tdup 
that takes a pC E 1 QL formula $ as an input and produces a new 
pP E< { >1 formula tdupi®) by recurring over the structure of <f> 
as follows: 


• tdupiQ) 

• tdupi -1 ®) 

• t d upi3x .&) 

• t du pi®i V <h 2 ) 

• t dup (liZ.$) 

• t d upii~ )th) 


Q 

"I tdupi $) 

3x.t dup i®) 

tdupi® l) V tdup{& 2) 

pZ.tdupi®) 

i~) i~)tdupi®) 


E.l Skip-one Bisimulation (S-Bisimulation) 


56 


we have that Y, 


Proof. By Lemma 
the claim is directly follows from Lemma 48 


/b 


Hence, 

L tb(G) 

□ 


We now proceed to define the notion of skip-one bisimulation 
that we will use to reduce the verification of C-GKABs into 
S-GKABs as follows. 
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Definition 59 (Skip-one Bisimulation (S-Bisimulation)). 

Let Ti = (A,T, Si,soi, abox\,=^f) and T 2 = 

(A, T, E 2 , S 02 , abox 2 , => 2 ) be transition systems, with 
ADOM(a 6 oxi(soi)) C A and ADOM(a 6 oa: 2 (so 2 )) C A. A 
skip-one bisimulation (S-Bisimulation) between T\ and T 2 is 
a relation B C Ei x S 2 such that (si, s 2 ) € B implies that: 

1 . aboxi(si) = a&oa: 2 (s 2 ) 

2 . for each 4 > if si =>1 .s' then there exists t, and s 2 with 

s 2 =>2 t => 2 s' 2 

such that (4,4) £ *B, State(terap) ^ a6ox 2 (4) and 
State(temp) £ 060 x 2 (i). 

3. for each 4 , if 

S 2 =>2 t =>2 4 

with Stat e(temp) £ abox 2 (t) for i £ { 1 ,... ,n} and 
Stat e(temp) ^ a6ox 2 (4), then there exists ,sj with 
Si =>1 s\ , such that (.sj, .s' 2 ) £ B. 


Let Ti = (A,T, E 1 ( soi, abox and T 2 = 

(A, T, E 2 , S 02 , 060 x 2 , => 2 ) be transition systems, a state si £ 
Ei is S-bisimilar to s 2 £ E 2 , written Si ~ so $ 2 , if there 
exists an S-bisimulation relation B between T\ and T 2 such 
that (si, s 2 ) £ B. A transition system T\ is S-bisimilar to T 2 , 
written T\ ~ so X 2 , if there exists an S-bisimulation relation B 
between T\ and T 2 such that (soi, S 02 ) £ B. 

Now, we advance further to show that two S-bisimilar tran¬ 
sition systems can not be distinguished by any pC E ^ E formula 
modulo the translation t dup . 

Lemma 60. Consider two transition systems 
Ti = (A, T, Ei, soil 060 x 1 , => 1 ) and X 2 = 

(A, T, E 2 , S 02 , a 6 ox 2 , => 2 ), with adom(o6oxi(soi)) C A 
and ADOM(a 6 ox 2 (so 2 )) Q A. Consider two states si £ Ei 
and s 2 £ E 2 such that si ~ so s 2 . Then for every formula $ 
of p£ E ® L , and every valuations V\ and u 2 that assign to each 
of its free variables a constant Ci £ ADOM(o6oXi(si)) and 
c 2 £ ADOM(o6ox 2 (s 2 )), such that ci = c 2 , we /zzzve f/zzzf 


Ti, si \= $vi if and only ifT 2 ,s 2 \= t dup (^)v 2 . 


Proof. Similar to Lemma 24 we divide the proof into three 
parts: 

(1) First, we obtain the proof of the claim for formulae of 

r EQL 

A 

(2) Second, we extend the results to the infinitary logic ob¬ 
tained by extending w ith arbitrary countable disjunc¬ 
tion. 

(3) Last, we recall that fixpoints can be translated into this 
infinitary logic, thus proving that the theorem holds for 


tcT- 

Since the step (2) and (3) is similar to the proof of Lemma|24] 
here we only highlight some interesting cases of the proof for 
the step ( 1 ) (the other cases of step ( 1 ) can be shown similarly): 

Proof for £^ ql . 


Base case: 

($ = Q). Since si ~ S o s 2 , we have a6oxi(si) = 
a6ox 2 (s 2 ), and hence ANS(<3,T, abox\{s\)) = 
ANS(Q, T, a6ox 2 (s 2 )). Thus, since tj(Q) = Q for 


every valuations vi and u 2 that assign to each of its 
free variables a constant ci £ ADOM(a6oxi(si)) and 
c 2 £ ADOM(a6ox 2 (s 2 )), such that ci = c 2 , we have 

Ti, si |= Qv 1 if and only if T 2 , s 2 \= tj(Q)v 2 - 

Inductive step: 

(<L> = — V F). By Induction hypothesis, for every valuations v\ 
and V 2 that assign to each of its free variables a constant 
ci £ ADOM(a6oxi(si)) and c 2 £ ADOM(a6ox 2 (s 2 )), 
such that c 2 = ci, we have that Ti,si |= \Pxzi if and 
only if T 2 , s 2 |= t dup (^)vi. Hence, 7i,si 4 ^1 if 
and only if T 2 , s 2 |4 td U p{^)v 2 - By definition, 7\, si \= 
-i\Fui if and only if T 2 , s 2 \= ->t dup {'&)v 2 - Hence, by 
the definition of tdup , we have 7i,si |= -illhzi if and 
only if T 2 , s 2 \= t dup {^)v 2 . 

($ = (—Assume T\, si 4 ((—)\K)i>i, then there exists 4 
such that si =>1 4 and Ti, s'i \= T'ui. Since si ~ so s 2 , 
there exist t and s 2 s.t. 

S 2 =>2 t =>2 4 

and s'i ~ S o 4- Hence, by induction hypothesis, for 
every valuations V 2 that assign to each free variables x 
of t du p(f$) a constant c 2 £ ADOM(o 6 ox 2 (s 2 )), such that 
C 2 = ci with x/ci £ v\, we have 

X 2 , S 2 4 

Since 060 x 2 ( 32 ) = abox±(si), and s 2 => 2 t => 2 s 2 , we 

therefore get 

T 2 ,S 2 \= ((-)(-)tdup( x V))v 2 - 
Since t dup ((-)$) = {-){-}t dup (®), we therefore have 
T 2 ,s 2 |= t dup ({— )\&)U 2 . 

The other direction can be shown in a symmetric way. 

□ 

Having Lemma |60| in hand, we can easily show that two 
S-bisimilar transition systems can not be distinguished by any 
p£ E ® L formulas modulo translation t dup . 

Lemma 61. Consider two transition systems 
T\ = (Ai, T, Ei, soi, 060 x 1 , => 1 ) and X 2 = 
(A 2 , T, E 2 , S 02 , 060 x 2 , => 2 ) such that Tj ~ S o T 2 . For 
every closed pC E ^ E formula $, we have: 

?i |= if and only ifT 2 4 t dup (<&) 

Proof Since soi ~so S 02 , by Lemma [60] we have 

Ti, soi 4 $ if and only if T 2 , s 02 4 W($) 
then we have that the proof is completed by observing the 
definition of S-bisimilar transition systems. □ 

E.2 Properties of C-Repair and C-Repair Actions. 

To the aim of reducing the verification of C-GKABs into S- 
GKABs, we now show some important properties of b-repair, 
c-repair and also c-repair action that we will use to recast the 
verification of C-GKABs into S-GKABs. The main purpose 
of this section is to show that a c-repair action produces the 
same results as the computation of c-repair. 

As a start, below we show that for every pair of ABox 
assertions that violates a certain negative inclusion assertion, 
each of them will be contained in two different ABoxes in the 
result of b-repair. 
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Lemma 62. Let T be a TBox, and A be an ABox. For every 
negative concept inclusion assertion B\ Z ~>B 2 such that 
T (= Bi Z ~>B 2 and B x 7^ B 2 , if {B 1 (c ) 1 B 2 (c)} C A 
(for any constant c £ A), then there exist A' £ B-REP(T, A) 
such that (i) -Bi(c) £ A', (ii) B 2 (c) (jL A'. (Similarly for 
the case of negative role inclusion assertion Ri Z ~^R 2 s.t. 

T h Ri E ^R 2 ). 

Proof Suppose by contradiction {^(c), B 2 (c)} C A, and 
there does not exist A' £ B-REP(T, A) such that B\(c) £ A' 
and B- 2 (c) f A' . Since in DL-Litej, the violation of negative 
concept inclusion Bi Z — li 2 is only caused by a pair of 
assertions Bi(c) and B 2 (c) (for any constant c £ A) and 
by the definition of B-REP(T, A), it contains all maximal T- 
consistent subset of A, then there should be a T -consistent 
ABox A' £ b-rep(T, A) such that -Bi(c) £ A' and B 2 {c) qL 
A' that is obtained by just removing B 2 (c) from A and keep 
Bi(c ) (otherwise we will not have all maximal T-consistent 
subset of A in B-REP(T, A), which contradicts the definition 
of B-REP(T, A) itself). Hence, we have a contradiction Thus, 
there exists A ' £ B-REP(T, A) such that (i) Bfc ) £ A', 
(ii) B 2 {c) f A' . The proof for the case of negative role 
inclusion is similar. □ 


Similarly for the case of functionality assertion, below we 
show that for each role assertion that violates a functional 
assertion, there exists an ABox in the set of b-repair result that 
contains only this role assertion but not the other role asser¬ 
tions that together they violate the corresponding functional 
assertion. 

Lemma 63. Given a TBox T, and an ABox 
A, for every functional assertion (funct R), if 
{R(c, Ci), R(c, c 2 ),..., R(c, c n )} C A (for any con¬ 
stants {c, Ci, C 2 ,..., Cn} C A), then there exist 
A! £ B-REP(T, A) such that (i) R(c,cf £ A', 
(ii) R(c , c 2 ) A',..., R(c, c n ) <£ A', 


Proof Similar to the proof of Lemma [62] 


□ 


Below, we show that the result of c-repair does not contains 
any ABox assertion that, together with another ABox assertion, 
violates a negative inclusion assertion. Intuitively, this fact is 
obtained by using Lemma 62 which said that for every pair of 
ABox assertions that violates a negative inclusion assertion, 
each of them will be contained in two different ABoxes in 
the result of b-repair. As a consequence, we have that both 
of them are not in the result of c-repair when we compute the 
intersection of all of b-repair results. 


Lemma 64. Given a TBox T, and an ABox A, for every 
negative concept inclusion assertion B\ Z —*B 2 such that 
T |= Bi Z ~^B 2 and Bi 7^ B 2 , if {B 1 (c ) 1 B 2 (c)} C A 
(for any constant c £ Aj, then B\(c) C-REP(T, A), and 
B 2 (c) ^ C-REP(T, A). (Similarly for the case of negative role 
inclusion assertion). 


Proof. Let BAc),B 2 (c ) £ A (for a constant c £ A), then 
by Lemma 62 there exist A' £ B-REP(T, A) and A" £ 
b-rep(T, A) such that (i) B\(c ) £ A', (ii) B 2 (c) ^ A', 
(Hi) B 2 {c) £ A", and (iv) Bfc) ^ A". By the defini¬ 
tion of c-repair, C-REP(T, A) = DA i eB-REP(T,A) A.;. Since 


f?i(c), B 2 {c) A! IT A", then we have that B 2 (c), B 2 (c ) £ 
C-REP(T, A). The proof for the case of negative role inclusion 
is similar. □ 


Similarly, below we show that the result of c-repair does 
not contains any role assertion that, together with another 
role assertion, violates a functional assertion. The intuition 
of the proof is similar to the proof of Lemma 64 I.e., they 
are thrown away when we compute the intersection of all of 
b-repair results. 


Lemma 65. Given a TBox T, and an ABox A, 
for every functionality assertion (funct R) £ T, 
if there exists {R{c, cf,..., R(c, c n )} C A (for 
any constants c,ci,...,c n £ Aj, then R(c,c\) ^ 

C-REP(T, A),..., R(c, Cn) g C-REP(T, A). 


Proof. Similar to the proof of Lemma 64 


□ 


Now, in the two following Lemmas we show a property of a 
c-repair action, namely that a c-repair action deletes all ABox 
assertions that, together with another ABox assertion, violate 
a negative inclusion or a functionality assertion. 

Lemma 66 . Given a TBox T, and an ABox A, a service call 
map m and a c-repair action <x£. If((A,m),aJ< 7 , ( A',m)) £ 
TELL/ g (where a is an empty substitution), then for every 
negative concept inclusion assertion B\ C —■ B> such that 
T \= Bi C *B 2 and B\ 7 ^ B 2 , if {Bi(c), B 2 (c)} C A (for 
some c £ A), then B\(c) ^ A', and B 2 (c) CjL A'. (Similarly 
for the case of the negative role inclusion assertion). 


Proof. Since T \= B 2 Z ~^B 2 , by the definition of a?, we 
have 

Csat(- B i E “■ & 2 ,x) {del {B 1 (x),B 2 (x)}} £ EFF(aJ). 

Since, ((A , m),a^a, {A' , m)) £ tell/ s , by the definition of 
tell / s , we have (A, addAj.^0, delA^, A') £ f s . Now, it 
is easy to see that by the definition of filter fs and DEL ^ , 
we have Bi(c) qL A', and B 2 (c) ^ A!. □ 


Lemma 67. Given a TBox T, an ABox A, a sendee call map 
m and a c-repair action af. If ((A, m),afa, (A ', to)) £ 
TELL f s (where a is an empty substitution) then for every func¬ 
tional assertion (funct R) £ T, if{R(c , cf ),..., R(c, c n )} C 
A (for some constants {c, Ci,..., c n } C A), then R(c, cf) ^ 
A! ,..., R[c , c n ) (f A!. 


Proof. Similar to the proof of Lemma[ 66 ] □ 

Next, we show that every Abox assertion that does not 
violate any TBox assertions will appear in all results of a 
b-repair. 

Lemma 68 . Given a TBox T, and an ABox A, for every 
concept assertion C(c) £ A (for any constant c £ A) such 
thatC(c) (f INC(A), it holds that for every A' £ B-REP(T, A), 
we have C(c) £ A'. (Similarly for role assertion). 
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Proof. Suppose by contradiction there exists C(c) £ A such 
that C{c) £ INC(A) and there exists A' £ B-REP(T, A), such 
that C(c) ^ A'. Then, since C{c) qL INC(A), there exists 
A" such that A' C A" C A and A" is T-consistent (where 
A" = A'U{C(c)}. Hence, A' qL b-rep(T, A). Thus we have 
a contradiction. Therefore we proved the claim. The proof for 
the case of role assertion can be done similarly. □ 

From the previous Lemma, we can show that every ABox 
assertion that does not violate any negative inclusion assertion 
will appear in the c-repair results. 

Lemma 69. Given a TBox T, and an ABox A, for every 
concept assertion C{c) £ A s.t. C(c) ^ INC(A) we have that 
C(c) £ C-REP(T, A). (Similarly for role assertion). 

Proof. Let C(c) £ A be any arbitrary concept assertion s.t. 
C(c) INC(A). By Lemma [68] for every A! £ B-REP(T, A), 
we have C(c) £ A'. Hence, since C-REP(T, A) = 

ru ieB _ REP (T,A)Yli> we have C(c) £ C-REP(T, A). The proof 
for the case of role assertion can be done similarly. □ 

Finally, we can say that the c-repair action is correctly 
mimic the c-repair computation, i.e., they produce the same 
result. 

Lemma 70. Given a TBox T, an ABox A, a service call 
map m and a c-repair action of. Let A\ = C-REP(T, A), 
and ((A,m),cfa, (A 2 ,m)) £ TELL f s where o is an empty 
substitution, then we have A\ = Ai 

Proof. The proof is obtained by observing that of never 
deletes any ABox assertion that does not involve in any source 
of inconsistency, and also by using Lemmas [ 66 ] [67] and [69] □ 

E.3 Reducing the Verification of C-GKABs Into 
S-GKABs 

In the following two Lemmas, we aim to show that the tran¬ 
sition systems of a C-GKAB and its corresponding S-GKAB 
(obtained through tq) are S-bisimilar. 

Lemma 71. Let Q be a B-GKAB with transition system Yg C , 
and let tq{Q) be an S-GKAB with transition system 
obtain through tc ■ Consider a state (A c ,m c , 6 C ) ofYg C and 
a state (A s ,m s , 6 S ) ofY^ . if A s = A c , m s = m c and 
S s = kc(8 c ), then (A c ,m c ,S c ) ~ S o ( A s ,m s ,5 s ). 

Proof. Let 

1 . g = (T,A 0 ,T,S),md 

Yg c = (A, T, E c , s 0 c, abox c , => c ), 

2. t c (G) = (T s , A 0 ,r s ,<5 s ), and 

T tc(S) = (^ T s,^s,sos, abox s , => s ). 

Now, we have to show the following: For every state 

(A", to", S ") such that 

(A c ,m c ,S c ) => (A",to",<5"), 

there exists states (Afmf S' s ) and (A", m", S”) such that: 

(a) we have (A s ,m s , S s ) => s (Afmfd'f ^> s (A",to",<5") 

(b) A" = A"; 

(c) to" = to"; 


(d) 5'f = k c ( 6' c '). 

By definition of Yg C , Since (A c , m c , S c ) => (A", to", S "), 
we have (A c ,m c , 6 c ) aa °^ c ). (A", to", 8 "). Hence, by the 

definition of a<Tc ’^ c > , we have that: 

• there exists an action a £ T with a corresponding ac¬ 
tion invocation pick Q{p).a{p) and legal parameter as¬ 
signment a c such that a is executable in A c with (legal 
parameter assignment) o c , and 

• ((A c , m c ),ao c , (A",to")) £ tell / c . 

Since ((A c , m c ),aa c , (A", to")) £ TELL f c , by the definition 
of tell/ c , there exists 6 C £ eval(add^ c ) such that 

• 0 C and m c agree on the common values in their domains. 

• to" = m c U 9 C . 

• (A c ,add^ c 6» c ,del^ c ,A") £ f c . 

• A" is T-consistent. 

Since (A c , ADD^ 0 c , DEL^ c , A") £ f c , by the definition 
of fc, there exists A' c such that A" £ C-REP(T, A'.) where 
A! c = (A c \ DEL^“ c ) U ADD^ a & c . Furthermore, since S s = 
Kc(S c ), by the definition of kc, we have that 

Kc(pick Q(p).a(p)) = pick Q(p).a(p); pick true.a^(). 

Hence, we have that the next executable part of program on 
state (A s ,m s ,S s ) is 

pick Q(p).a(p)-, pick true. <£()• 

Now, since o c maps parameters of a £ F to constants 
in ADOM(A c ), and A c == A s , we can construct a s mapping 
parameters of a £ T s to constants in ADOM(A s ) such that 
<j c = a s . Moreover, since A s = A c , the certain answers 
computed over A c are the same to those computed over A s . 
Hence, a £ T s is executable in A s with (legal parameter 
assignment) a s . Now, since we have m s = m c , then we can 
construct 9 S such that 9 S = 9 C . Hence, we have the following: 

• 9 S and m s agree on the common values in their domains. 

• m! s = 9 S U m s = 9 C U m c = to". 

Let A' s = (A s \ DEL^ a ) U ADD))” s 0 s , as a consequence, we 
have (A s , ADD))» s 0 S , DEL^ s , A') £ f s ■ Since A s = A c , 
9 S = 9 C , and a s = a c , it follows that 

• DEL ^ S = del^ c , and 

• ADD a^s = 

Hence, by the construction of A' s and A' c above, we also 
have A' s = A' c . By the definition of tc, we have T s = T p 
(i.e., only positive inclusion assertion of T), hence A' s is 
T s -consistent. Thus, by the definition of TELL/ a , we have 
(( A s ,m s ),ao s , (A' s ,m' s )) £ TELL f g . Moreover, we have 

(A s , to s , pick Q(p).a(p); S 0 ) acrsJ - B > ( A' s ,m' s , 6 0 ) 

where <5 0 = pick true.a^(). Now, it is easy to see that 


TO s! pi ck true.ajT()) (A" 


.e) 


where 

• to" = m'g (since af does not involve any service call), 

• a is empty substitution (because of is a 0 -ary action), 

(A",to",£) £ F. 


A" = C-REP(r, Af) (by Lemma 70 1 


32 







Since A' s = A' c , A" = c-rep(T, A'), and A" = 
C-REP(T, A' c ), then we have A" = A". Moreover, since 
(A", to", e) £ F, we have successfully finished executing 


pick Q(p).a(p); pick true. °C 0) 

and by the definition of kc the rest of the program to be 
executed is 6" = kc{S ")• Thus, we have 

(A s ,m s ,6 s ) => s (A' s ,m' s ,5' s ) => s (A”, m", 5”) 

where 

(a) A" = A"-, 

(b) to" = to"; 

(c) S'' = 

The other direction of bisimulation relation can be proven 
symmetrically. □ 


Having Lemma 71 in hand, we can easily show that given 
a C-GKAB, its transition system is S-bisimilar to the tran¬ 
sition of its corresponding S-GKAB that is obtained via the 
translation tq as follows. 

Lemma 72. Given a C-GKAB Q, we have T, 


fc 


r 


•fs 


TciS) 


Proof. Let 

1 . Q = (T,A 0 ,T,S C ), and 

Yg° = (A, T, £ c , Soc, abox c , => c ), 

2. t c (G) = {T S1 A 0 ,T S ,5 S ), and 
T rc(S) = (A,T s ,S s ,s 0s , abox s ,^ s ). 

We have that s 0c = ( A 0 ,m c ,S c ) and s 0s = ( A 0 ,m Sl 5 s } 
where m c = m s = 0. By the definition of hq and tc, we 
also have 6 S = kc(S c ). Hence, by Lemma 71 we have 
soc ~so sos. Therefore, by the definition of S-bisimulation, 

□ 


we have Tg C 


"ffs 

so 1 T C (.gy 


Finally, we are now ready to show that the verification of 
pCf L formulas over C-GKABs can be recast as verification 
of pC formulas over S-GKAB as follows. 

Theorem 73. Given a C-GKAB Q and a closed /iC l { >L prop¬ 
erty <t>, 

4° 1= $ b W*) 
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TC{S) 

we have that T, 


fc 


Proof. By Lemma 
by Lemma 61 it is easy to see that the claim is proved. 


-so T rc(gy Hence ’ 
□ 


F From E-GKABs to S-GKABs. 

Here we show that the verification of properties over E- 

GKABs can be recast as verification over S-GKABs. Formally, 
given an E-GKAB Q and a yC 1 ^ formula <1', we show that 
Tg E \= if and only if ^^{0) H td,up(&) (This claim is 
formally stated and proven in Theorem [78|». The strategy of 
the proof is similar to the reduction from the verification of C- 
GKABs into the verification of S-GKABs in Section[E] I.e., to 
show that the transition system of an E-GKAB is S-bisimilar to 
the transition system of its corresponding S-GKAB, and hence 
they can not be distinguish by any pC 1 ^' formulas modulo 
translation tdup- 


As a preliminary, we define a translation function ke that 
essentially concatenates each action invocation with an evo¬ 
lution action in order to simulate the action executions in 
E-GKABs. Additionally, the translation function ke also 
serves as a one-to-one correspondence (bijection) between the 
original and the translated program (as well as between the 
sub-programs). Formally, given a program <5 and a TBox T, 
we define a translation ke which translate a program into a 
program inductively as follows: 

ft E (pick Q(p).a(p)) = pick Q(p).a'(p); pick true.a^() 

K E (e) =e 

Kb(^i|<^2) = Ke((Si)|ke(<$2) 

k e (Si' 1 S 2 ) = k e (5i); K E {Sf) 

Ke(if ip then <5i else 62 )= if <P then k e (Si) else ke(S 2 ) 

K(while P do S) = while ip do ke($) 

where a' and af are defined as in the Section 

F.l Reducing the Verification of E-GKABs Into 
S-GKABs 

As the first step, we show an important property of the filter 
f e (which is also a property of EVOL operator). Particularly, 
we show that every ABox assertion in the evolution result is 
either a new assertion or it was already in the original ABox 
and it was not deleted as well as did not violate any TBox 
constraints (together with another ABox assertions). Formally 
the claim is stated below. 

Lemma 74. Given a TBox T, a T-consistent ABox A, a 
T-consistent set F~ of ABox assertion to be added, and a 
set F~ of ABox assertion to be deleted, such that A,, = 
EVOL (T, A, F + , F~), we have N(c ) £ A e if and only if ei¬ 
ther 

1. N(c) £ F + , or 

2. N(c) £ (A \ F ~) and there does not exists B(c) £ F + 
such that T |= N C —iB. 

(Similarly for the case of role assertion). 

Proof. 

Assume N(c) £ A e , since A e = 
EVOL(T, A, F + , F~), by the definition of 
evol (T,A,F + ,F~), we have A e = F + U A', 
where 

1. A' C (A \ F~), 

2. F + U A' is T-consistent, and 

3. there does not exists A" such that A' C A" C 
(A \ F~ ) and F + U A" is T-consistent. 

Hence, we have either 

(1) N(c) £ F+, or 

( 2 ) N(c) £ A'. 

For the case (2), as a consequence: 

- Since N(c) £ A' and A' C (A\ F~) it follows that 
N(c) £ ( A\F ~). 

- Since F + U A' is T-consistent, then we have that 
there does not exists B(c) £ F + s.t. T \= N C -iB. 

Thus, the claim is proven. 

We divide the proof into two parts: 

(1) Assume N(c) £ F + . Then simply by the definition 
of evol(T, A, F + , F~), we have N(c) £ A e . 


4.3 
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(2) Supposed by contradiction we have that N(c) £ 
(.A \ F~) and there does not exists B(c) £ F + s.t. 
T \= N C -nB, and N(c) <£ A e . Since N(c) A e , 
by the definition of EVOL(T, A. F + , F~), we have 
that N(c) F + and N(c) £ A! in which A' should 
satisfies the following: 

- A' C (A\F~), 

- F + U A! is T -consistent, and 

- there does not exists A" such that A' C A" C 
(A \ F~) and F + U A" is T-consistent. 

But then we have a contradiction since there exists 
A" = A! U {N(c)} such that A! c A" C [A \ F~) 
and F + U A" is T-consistent. Hence, we must have 
N(c) £ Ae. 

□ 


Now we show an important property of evolution action 
o:J which says that every ABox assertion in the result of the 
execution of a > T is either a newly added assertion, or an old 
assertion that does not violate any TBox constraints. Precisely 
we state this property below. 

Lemma 75. Given 

• an E-GKAB Q = (T, Aq, r e , 8 e ) with transition system 
Tg E , and 

• an S-GKAB te(G) = (T Sl Aq,T s , 5 S ) (with transition 

system ) that is obtained from G through te, where 

T s =T p U T n . 

Let (A, to, 8) be any state in , a' £ F s be any action, 

A is T s -consistent and does not contain any ABox assertions 
constructed from VOC (T n ) and we have: 


(A, to, 5) (A', to', S') (A", to", 8" 


for 

• a particular legal parameter assignment a 

• an empty substitution a', 

• a particular sendee call evaluation 0 £ EVAL(add^ /(T ) 
that agree with m on the common values in their domains. 

We have N(c) £ A" if and only if N is not in the vocabulary 
of TBox T n and either 

1. N(c) £ ADD ^, a 9, or 

2. N(c) £ (A \ DEL^ /(7 ) and there does not exists B(c) £ 
ADDq/0.0 such that T \= N C —>B. 

(Similarly for the case of role assertion). 

Proof. 


Assume N (c) £ A ", since the evolution action aj 
only 

1 . removes old assertions when inconsistency arises, 

2. flushes every ABox assertions constructed by the 
vocabulary of T n , 

then we have the following: 

1. N is not in the vocabulary of TBox T n (otherwise 
it will be flushes by exf,) 

2. N(c) £ A' (because aj never introduce a new 
ABox assertion). 


3. if there exists B(c) £ A' such that T |= N C -<B, 
then B(c) <jL A", B n (c) £ A', and N n (c) £ A' 
(i.e., if N(c) £ A' violates a negative inclusion 
assertion, N (c) must be a newly added ABox asser¬ 
tion, otherwise it will be deleted by aj). 

Now, since A and A' are '/(-consistent (because 

(A,m,8) a - (A', to', S')), then add ^, a 6 is T s - 

consistent. Hence we have either 

1. N(c) £ ADD^, a e (and there does not exists B(c) 
such that B(c) £ ADD^, a 0, and T \= N C ~^B), or 

2. N(c) £ (A \ DElA (< t ) and there does not exists 
B(c) £ ADD^ lcr h such that T \= N C ~^B (other¬ 
wise we have {ZV(c), B(c), B n (c)} C A' and then 
N(c) will be deleted by aj). 

Therefore, the claim is proved. 

We divide the proof into two parts: 

1. Assume N(c) £ ADD ^, a 9. Then, by the construc¬ 
tion of a' and the definition of - s > , it is easy to 
see that N(c),N n (c) £ A'. Moreover, N(c) £ A" 
(by construction of a^). 

2. Assume N(c) £ (A \ DEL^ la .) and there does not 
exists B(c ) £ ADD^ /(T 0 s.t. T \= N C ->B. Hence, 

by the definition of a - we have N(c) £ A!. 
Moreover, because N (c) £ A! does not violate any 
negative inclusion assertions, by construction of aj, 
we also simply have N(c) £ A". 

□ 


Next, in the following two Lemmas we aim to show that the 
transition system of an E-GKAB is S-bisimilar to the transition 
system of its corresponding S-GKAB that is obtained from 
translation te- 

Lemma 76. Let G = (T, Aq, T, 5) be an E-GKAB with tran¬ 
sition system Tg E , and let te(G) = (T s , Ao, T s , <5 S ) be an S- 
GKAB with transition system Y^^g obtain through te- Con¬ 
sider a state (A e ,m e , 5 e ) ofTg E and a state (A s ,m s , 5 S ) 
°f T rc(Sy As = A e , m s = m e , A s is T-consistent and 
8 S = KE(S e ), then ( A e ,m e ,S e ) ~ so (A s ,m s ,S s ). 


Proof. Let r S g E = (A, T, £ e , s 0e , ahox e , => e ). and T^ g) = 
(A, T s , S s , Sosj abox s , => s ). We have to show the following: 
for every state (A", to", 6") such that 

(■ A e ,m e ,S e ) => (A",to", 5”), 


there exist states (A' s , m' a ,S' s ) and (A", to", 5") such that: 

(a) (A s , m s ,8 s ) => s (. A' s ,m' s ,5 ' s } => s (A", to", 5") 

(b) A" = A"; 

(c) to" = to"; 

(d) S" = ke(S'J). 


By definition of Tg E , 
we have (A e , m e , 5 e ) 
definition of TTliljLf. we have: 


since (. A e ,m e ,8 e ) 

0«T e jE 


(A", to", O. 
> (A", to", 5”). Hence, by the 
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• there exists an action a £ T with a corresponding ac¬ 
tion invocation pick Q(p).a(p) and legal parameter as¬ 
signment a e such that a is executable in A with (legal 
parameter assignment) tr e , and 

• (( A e ,m e ),aa e , (A",m j,)) £ tell / e . 

Since (( A e ,m e ),aa e , (A", to")) £ TELL^ e , by the defini¬ 
tion of TELL f E , there exists 9 e £ EVAL(ADD^' e ) such that 

• 9 e and m e agree on the common values in their domains. 

• to" = m e U 9 e . 

. (A e ,ADD^0 e ,DEL^,A"> £ f E . 

• A " is T-consistent. 

Since (A e , ADD^' c 0 e , DEL^® e , A") £ /e, by the definition 
of /e, we have 

• ADD^' e 0 e is T-consistent. 

. A'' = EVOL(T ) A e ,ADD^ ( 0 e ,DEL^J. 

Furthermore, since S s = ke{5 c ), by the definition of ke, we 
have that 

«E(pick Q(p).a(p}) = pick Q(p).a'(p );pick true.aj() 

Hence, the part of program that we need to execute on state 

(A s , to s , (5 S ) is 

pick Q(p).a'(p); pick true. ()■ 

Now, since: 

• a' £ F, is obtained from o: £ 1 ’ through te, 

• the translation te transform a into a' without changing 
its parameters, 

• a,, maps parameters of a £ T to individuals in 
adom(A c ) 

then we can construct a s mapping parameters of a' £ F s 
to individuals in A DOM (A,) such that cr s = a e Moreover, 
since A s = A e , we know that the certain answers computed 
over A e are the same to those computed over A s . Hence 
a' £ r s is executable in A s with (legal parameter assignment) 
<j s . Furthermore, since m s = m e , then we can construct 9 S , 
such that 9 S = Hence, we have the following: 

• 9 S and m s agree on the common values in their domains. 

• m' s = 9 S U m s = 9 e U m e = m ". 

Let A' s = (A s \ DEL^ ) U ADD^ 9 S , as a consequence, we 

have (A s ,ADD^ as 9 s , del^/^ , A' s ) £ f s . 

Since A a = A e , 9 S = 9 e , and u s = a e , it follows that 

• DEL^ e = DEL^. 

• N(c) £ ADD aa e @e if and only if N(c),N n (c) £ 
ADD 71 ; 9 S . 

CX <7 s b 

• P(ci,c 2 ) £ ADD aa e 9 e if and only if 
P(ci,c 2 ),P”(ci,c 2 ) £ ADd'^9,. 

As a consequence, since ADD 9 e is T-consistent, then we 
have ADD(a’ 9 s is T s -consistent. Moreover, because A s is 
T s -consistent, ADD^ 9 S is T s -consistent, and also consider¬ 
ing how A' s is constructed, we then have A' s is T s -consistent. 
Thus we have ((A s ,m s },a'a s ,(A' s ,m' s )) £ TELL, and we 
also have 

(A s ,m s , pick Q{p).a'(p); pick true.o^T()) 

as ’ f -> Pick true.ct^()). 


It is to see that we have 

(^s> pick true.a J ()} aeasJ A (A",m",e) 

where 

. (A” , to" , e) £ F 

• a' s is empty legal parameter assignment (because af is 
0 -ary action). 

• to" = m", (due to the fact that of does not involve any 
service call (i.e., ro" = m ' s ) and m' s = to"). 

Additionally, by the definition of ke, we have 6" = ke(S") 
as the rest of the program to be executed (because (A", m", e) 
is a final state). Hence, we have 

<■ A s ,m s ,6 s } => s (A' s ,m' s , S' s ) => s (. A”,m”,5 ") 

To complete the proof, we obtain A" = A" simply as a conse¬ 
quence of the following facts: 

L A s = A e ; 

2. By Lemma [74{ we have N(c ) £ A" if and only if either 

• N(c) £ ADD„' e 0 e , or 

• N(c) £ (A e \ DEL^' e ) and there does not exists 
B(c) £ ADD^= s 0 e such that T |= N C -iP; 

3. By Lemma [75] we have N(c') £ A" if and only if N is 
not in the vocabulary of TBox T n and either 

• N{&) £ add^ 9 8 , or 

• N(c') £ (A a \ DEL^ s ) and there does not exists 
B(c') £ ADD^ ff 9 S such that T (= N C ->B. 

4- DEL^ e = DEL^. 

5. N(c) £ ADD^' E 0e if and only if N(c),N n (c) £ 

6 . P(ci,c 2 ) £ ADD^= E 0 e if and only if 
P(ci,c 2 ),P"(ci,c 2 ) £ ADD^fl,. 

7. af flushes all ABox assertions made by using VOC (T n ). 

The other direction of bisimulation relation can be proven 
symmetrically. □ 

Having Lemma[76]in hand, we can easily show that given 
an E-GKAB, its transition system is S-bisimilar to the tran¬ 
sition of its corresponding S-GKAB that is obtained via the 
translation te- 

Lemma 77. Given a E-GKAB Q, we have Tg E ~ so 
Proof. Let 

1. G = (T,A 0 ,r,<5 e )and 

T g E = ( A ; T i S e, S 0e , dboX e , => e ), 

2 . T B {Q) = {T s , A 0 ,r s ,(5 s ) and 

T te(S) = ( A i T s^s,s 0s ,abox s ,=> s )) 

We have that s 0e = ( A 0 ,m e ,5 e ) and s 0s = ( A 0 ,m s ,S s ) 

where m e = m s = 0. By the definition of ke and te, we 
also have 5 S = k e ( A). Hence, by Lemma [76] we have 
soe ~so A'o.s ■ Therefore, by the definition of one-step jumping 
history bisimulation, we have Tg ~ so □ 

Having all of the ingredients in hand, we are now ready to 
show that the verification of frC E ® L properties over E-GKAB s 
can be recast as verification over S-GKABs as follows. 
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Theorem 78. Given an E-GKAB Q and a closed //L 1 '^ 1 prop¬ 
erty <t>, 


rf* |= $ #r* (e) h t dup (*) 


Proof. By Lemma 


77 


we have that Tg E 


J so Hence, 

su t e (S) ’ 


by Lemma 61 we have that the claim is proved. 


□ 


G Putting It All Together: From I-GKABs to 
S-KABs 

Proof of Theorem [2] 

Proof. As a consequence of Theorems |57| [73] and 78 


essentially show that the verification of jtLff" properties over 
I-GKABs can be recast as verification over S-GKABs since we 
can recast the verification of properties over B-GKABs, 

C-GKABs, and E-GKABs as verification over S-GKABs. □ 


Proof of Theorem [4] 

Proof. The proof is easily obtained from the Theorems [2] and 
[ 3 ] since by Theorem[2]we can recast the verification of 
over I-GKABs as verification over S-GKABs and then by 
Theorem [ 3 ] we can recast the verification of over S- 

GKABs as verification over S-KABs. Thus combining those 
two ingredients, we can reduce the verification of p,C E ® L over 
I-GKABs into the corresponding verification of ///_’.over 
S-KABs. □ 


G.l Verification of Run-bounded I-GKABs 

This section is devoted to show the proof of Theorem[5] As the 
preliminary step, we formalize the notion of run-boundedness 
as follows. 

Definition 79 (Run of a GKAB Transition System). Given a 
GKAB Q. a run ofTg = (A, T, S, s 0 , abox, =>) is a (possibly 

infinite) sequence so^i • • • of states of Tl such that ,s, => Sj+i, 
for all i > 0 . ■ 

Definition 80 (Run-bounded GKAB). Given a GKAB Q, 
we say Q is run-bounded if there exists an integer bound 
b such that for every run 7 r = soSi • • • of Tg, we have that 

lUsstateofTT ADOM (a6oz(s))| < b. ■ 

The notion of run-bounded KABs is similar. 

Now we proceed to show that the reductions from I-GKABs 
to S-GKABs preserve run-boundedness. 

Lemma 81. Let Q be a B-GKAB and tb{G) be its corre¬ 
sponding S-GKAB. We have ifQ is run-bounded, then tb(G ) 
is run-bounded. 

Proof. Let 

1. G = (T, Aq, T, S) and Tg B be its transition system. 

2 . be the transition system of tb{G )■ 

The proof is easily obtained since 

• the translation tb essentially only appends each action 
invocation in <5 with some additional programs to manage 
inconsistency. 


• the actions introduced to manage inconsistency never 
inject new individuals, but only remove facts causing 
inconsistency, 

• by Lemma 56 we have that Yg B ~ L tb(G)- Thus, ba¬ 
sically they are equivalent modulo repair states (states 
containing M (rep)). 

□ 


Lemma 82. Let G be a C-GKAB and tq(G) be its corre¬ 
sponding S-GKAB. We have ifQ is run-bounded, then tc(G) 
is run-bounded. 


Proof. Similar to the proof of Lemma 81 but using the S- 
Bisimulation. □ 


Lemma 83. Let G be a E-GKAB and te(G) be its corre¬ 
sponding S-GKAB. We have ifQ is run-bounded, then te(G) 
is run-bounded. 

Proof. Similar to the proof of Lemma [8T] but using the S- 
Bisimulation. □ 


Below we formally state the fact that the reduction from 
S-GKABs to S-KABs preserves run-boundedness. 

Lemma 84. Let G be an S-GKAB and rg{G) be its corre¬ 
sponding S-KAB. We have ifQ is run-bounded, then rg(G) is 
run-bounded. 


Proof. Let Tg S be the transition system of Q, and 
be the transition system of rg(G). The proof is then easily 
obtained since 

• only a bounded number of new individuals are intro¬ 
duced, when emulating the Golog program with S-KAB 
condition-action rules and actions. 

ba¬ 


by Lemma 
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we have that Tg S 


T s Thus, 

rg{G) 


sically they are equivalent modulo intermediate states 
(states containing State(ferap)). Moreover, each bisimi¬ 
lar states are basically equivalent modulo special markers. 

□ 


Proof of Theorem H| 

Proof. By Lemmas [8T| 82 and 83 the translation from I- 
GKABs to S-GKABs preserves run-boundedness. Further¬ 
more, by Lemma 84 run-boundedness is also preserved from 
S-GKABs to S-KABs. In the end, the claim follows by also 
combining Theorem|4|with the resu lts in I Bagheri Hariri et al. 


2013a Bagheri Hariri et al., 2013b] for run-bounded S-KABs. 


a 
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